Apple and Google have made it so easy to load our entire lives onto our phones while also keeping all that information protected with advanced authentication methods. But there's a crucial weak link that can open up everything within if you're unlucky enough to be watched and that's the authentication method you use to unlock your phone. We don't want to fearmonger you into any unnecessary action, but with a rise of highly-coordinated iPhone thefts in the past couple of years, we do think it's a good idea that you upgrade from a numerical passcode to at least an alphanumeric password.

The Wall Street Journal's Joanna Stern reports this week on an uptick in phone thefts that can involve some level of social engineering that allows them to read and remember your passcode — whether it happens to be pure observation of you entering your code in plain view to a sly request to share that photo you just took to plain coercion, it can happen to anyone.

But swift moves like that aren't just for the sake of reselling your device on the open market: both Apple ID and Google accounts offer an account password reset method that only requires users to pass authentication on their device. In gaining access to those accounts, thieves can then access other personal information and use it to raid cloud storage, siphon from bank accounts and credit lines, and even defraud others with that stolen identity, all the while blocking the victim from being able to regain control because all the account information has been changed.

This is a trend that's difficult to quantify and while iPhone ownership can be part of the stereotype of a high-value target, we're likely not getting a full picture strictly from what Stern is reporting through her police contacts and those who have shared their stories.

Whatever the stats are on Android device thefts, you should know that the same essential exploit is also present on Android phones: as the esteemed Mishaal Rahman points out, thieves can gain control of victims' Google accounts holders by going through the password reset flow and authenticating with their device's passcode.

Beyond Rahman's instructions, malicious actors may be able to pass the second factor of authentication if it is required by choosing the "Tap Yes on your phone or tablet" method because the prompt would be sent to the device in hand and the Google app flow would be able to detect said prompt, passing the check.

It doesn't matter if you opt for facial recognition or a fingerprint scan because those methods can fall back to either a passcode, a password, or a pattern lock. So, our best advice to you at the moment is to upgrade your device passcode or pattern lock to an alphanumeric password.

We know it's not a pretty thought, especially because in addition to being one of those things you can't handle with a password manager or authentication app, this will be yet another primary password you'll need to remember with all the pitfalls that come with complexity and memory. It'd also be ironic and tragic if thieves could overcome the best password you can keep in your head that isn't 5aP9had^Q or something like that. At the very least, Apple and Google should not be accepting basic single-device authentication methods as checks on resetting account passwords.

We asked Google for comment on the master and here's what a company spokesperson told us:

We are always looking for ways to improve account security for users to help keep sensitive data and access safe from criminals.

Our sign-in and account-recovery policies try to strike a balance between allowing legitimate users to retain access to their accounts in real-world scenarios and keeping the bad actors out. Physical possession of a phone and knowledge of the passcode are - in general - strong signals of device ownership that we use daily to thwart attacks on user accounts and to help legitimate users regain access themselves in common scenarios, like forgetting their account password.

Google Account Recovery flows also have reasonable time-limited protections against hijackers changing passwords or recovery factors set up by the legitimate users - provided users have set up a recovery phone and/or recovery email.

To mitigate issues from potential physical device and PIN theft, our recommendation for users remains to ensure they have enabled 2-Step Verification and set up a recovery phone and email before an event occurs. On the device, users can also select an alphanumeric password to increase the difficulty of access for criminals. We also recommend utilizing biometric authentication as much as possible to make it more difficult for criminals to gain knowledge of PINs.

For additional information on how to keep your Google account safe on your Android phone, we recommend visiting our Safety Center and reading our guidebook on this topic.

Oh, and one last piece of advice from us: buy a Yubikey.

UPDATE: 2023/02/27 15:51 EST BY JULES WANG

Comment from Google

We've updated this story with a comment from a Google spokesperson.