[threeseed]

If the service is down then how would the validation happen. Or if you just allow stolen components to be accepted whilst the phone is unvalidated then state security services will just DDOS the service. They would love to be able to swap out a screen and gain access to the password for journalists, dissidents etc.

And you can't bypass the current pairing check since it is happening before the OS is launched.

[dns_snek]

I'm sorry but that's just a fairytale. Nobody is going to go through a 10 step process that hinges on someone's phone being stolen and returned without their knowledge while successfully pulling off a DDoS attack against one of the most powerful corporations on the planet that's already facing constant cyber threats.

Extremely relevant: https://xkcd.com/538/

They'll just use a 0-day exploit or a $5 wrench.