Due to the complexity and recursive nature of modern digital authentication, it turns out that often all that is really really actually protecting a user's identity at the end of the day is a 4 digit PIN code that they happily type in front of anyone and everyone hundreds of times per day.
An attacker with knowledge of someone's PIN can use it to gain temporary access to a user's device, and then they have both auth factors necessary for a complete takeover of the account associated with the device, which is very often being used as the IdP for many other accounts and services. Commence lateral movement.
It's plainly evident to anyone with half a brain that a two factor scheme that authenticates the second factor with the first factor is not, in fact, a two factor scheme. When the first factor is so weak that it can be broken by looking at some smudges on the screen, well, here we are.
But consumers are idiots, and if you actually forced them to use proper authentication schemes then most people would simply lock themselves out of everything and lose all of their data permanently multiple times per year. As a practical matter, I don't really see a good way to overcome user irresponsibility.
Thieves are watching people input their PINs into phones and then stealing the phones. They can then gain access to any apps that use the "sign-in with Apple" feature that uses Face ID or PIN to log instead of the app's own login.
1) Criminals work in groups to steal iPhones. One person will watch you or take a video of you entering your passcode, another person will snatch the phone from you.
2) Within 3 minutes, the criminals will use the phone passcode to reset your Apple ID password, change the trusted phone number of your Apple ID, and set a recovery key.
3) Now they can deactivate "Find my iPhone"
4) And they can log out all your other devices, lock them, or even erase them remotely
5) Now you have no way to access your iCloud account, and the thieves have completely taken over your digital identity
6) Using passwords saved on the phone, and with SMS 2FA, they can now transfer money from all your accounts
7) Using other data stored on your phone (eg. in photos), they can apply for Apple Credit Card and use that to steal more money from you
Joanna Stern recommends these steps steps:
1) Use a complex passcode
2) Use a 3rd party password manager with a different passcode
3) Check your photos to make sure there are no photos of sensitive documents
It does stay on the device; the iPhone passcode is entered and authenticated locally, then the iPhone authorizes the AppleID password change since you're "authentic."
Due to the complexity and recursive nature of modern digital authentication, it turns out that often all that is really really actually protecting a user's identity at the end of the day is a 4 digit PIN code that they happily type in front of anyone and everyone hundreds of times per day.
An attacker with knowledge of someone's PIN can use it to gain temporary access to a user's device, and then they have both auth factors necessary for a complete takeover of the account associated with the device, which is very often being used as the IdP for many other accounts and services. Commence lateral movement.
It's plainly evident to anyone with half a brain that a two factor scheme that authenticates the second factor with the first factor is not, in fact, a two factor scheme. When the first factor is so weak that it can be broken by looking at some smudges on the screen, well, here we are.
But consumers are idiots, and if you actually forced them to use proper authentication schemes then most people would simply lock themselves out of everything and lose all of their data permanently multiple times per year. As a practical matter, I don't really see a good way to overcome user irresponsibility.