Apple’s introduction of a fingerprint sensor in the iPhone 5S has made a lot of people reconsider whether they should be locking their iPhones or iPod touches with a passcode. For those who bought the 5S, turning Touch ID on has been a pretty easy decision: it works well enough that it’s not a hassle even for people who had never before passcode-protected their phones.1 Regardless of whether you have Touch ID, though, should you be locking your phone so that some random person who picks it up can’t use it? I say yes.
Let’s consider what could happen if someone swiped your phone and you hadn’t set it to require a passcode (or a fingerprint). The most likely outcome is that your drinking buddies just try to embarrass you on Twitter.
Another possibility is that for whatever reason, the person who steals your phone is targeting you personally and wants to screw your stuff up. (Unlikely, sure, but it does happen.) If they have unfettered access to your phone what can they do? Well, they also have unfettered access to your e-mail. There may or may not be sensitive messages in your mailbox,2 but the real problem is the password reset process. If you have access to someone’s e-mail, you can use websites’ password-reset facilities to gain access to their accounts and lock them out.
Maybe you’re clever and techy and you have two-factor authentication enabled on some of your accounts, but what’s the second factor (the “something you have”)? It’s probably your phone, right? Whether you receive the code as a text message or through an app like Google Authenticator or Authy, someone with access to your phone is going to breeze through the most common form of two-factor authentication. (It’s possible to set a passcode in Authy even if you don’t require a passcode to unlock your phone, although your non-two-factor accounts would still be vulnerable.)
There are a couple of caveats here. Some people don’t have their e-mail set up on their phones at all, in which case nothing I said above applies. There are also people who have their main e-mail account set up on their phone but who use a different one for password resets; that setup would mostly take care of this issue.
If you were to lose your iPhone you could remotely lock and wipe it, and if you were able to do it quickly enough the thief wouldn’t have time to mess anything up. (On the other hand, they might manage to use the same facility to erase your Mac before you get the chance to erase your phone. That’s what happened to Mat Honan.) I view locking my phone as a form of insurance: it’s a small annoyance each time I turn my phone on, but if my phone is ever stolen the annoyance will have been worth it.3
Of course there are caveats to Touch ID. It frequently takes me two or three tries to unlock my phone. It’s not too hard to make a fake finger if you have someone’s phone and their fingerprint, so if you’re already using a long password on your phone you probably won’t be gaining security by switching to Touch ID. And some people are worried that the switch from a passcode to a biometric token may present fifth-amendment issues. ↩︎
At 54 minutes into episode 32 of Accidental Tech Podcast, John Siracusa said, “I never understood the people who did passcodes while they were in their house. It’s kind of like going room to room in your own house and each time you go from room to room you lock the door with a key behind you.” I get that, but the alternative would be to remember to enable the passcode each time you leave the house (and disable it each time you return). That’s a more involved process and you’re liable to forget to do it. For me, just entering the passcode every time is preferable. ↩︎