Six Colors
Six Colors

Apple, technology, and other stuff

This Week's Sponsor

Clic for Sonos: The fastest native Sonos client for iPhone, iPad, Mac, Apple Watch, Apple TV, and visionOS.

By Glenn Fleishman

April 6, 2026 11:19 AM PT

Stolen Device Protection may protect you from accessing your own device

Glenn Fleishman, art by Shafer Brown

You might have noticed that, after installing iOS 26.4, your iPhone is behaving differently. Some actions (like changing your password) require a one-hour wait, followed by biometric authentication. You never had to do this before. Why now? Because with iOS 26.4, Apple has decided to enable its Stolen Device Protection feature on all iPhones. This feature may not make you safer—or feel safer—but it should prevent or severely deter misuse and hijacking of your iPhone and Apple Account.

Alternatively, you may not have noticed this—several sites reported in February 2026, during the 26.4 beta testing period, that Stolen Device Protection was automatically enabled in the update. Or a dark pattern—a user-interface design that pushes you to a particular decision without removing one or more others—may have caused you to opt in. However, I’ve found no confirmation from Apple, nor do various sites that write about Apple have a definitive answer!

So this is a good time to review Stolen Device Protection, whether or not you had it enabled without your permission.

One who steals my iPhone, steals my Apple Account

Months after a report in the Wall Street Journal about multiple people being assaulted or shoulder surfed to unlock a stolen iPhone, and from there to hijack the owner’s Apple Account, Apple added Stolen Device Protection. This feature flipped the script on iPhone authentication, requiring Face ID or Touch ID to access certain features or make significant changes—a passcode no longer sufficed. It also added a cooldown period, requiring a one-hour delay in many circumstances before those biometrically authenticated actions could occur.

The scenarios are very straightforward:

  • Shoulder surfing: You’re at a bar with someone, and a stranger offers to take your picture. Your hand them your iPhone, and they make some attempt and say it’s locked. They hand it back and enter your passcode. Now they take your photo—and run off with your phone, or someone later grabs it when you’re distracted. What might have happened is that they intentionally locked the phone, and a nearby confederate is using their iPhone or another device to zoom in and record high-resolution video of you as you enter your code.
  • Violence: The Wall Street Journal’s account included instances of people being drugged at bars or at people’s homes, then convinced to give out their passcode. If drugging failed, or sometimes, instead of it, violence or coercion is used. As recently as February 2025, a news report from Minneapolis quoted both law enforcement and victims.

With a passcode, those with criminal intent can access all sorts of stuff stored on your phone, including bank accounts, and use Apple Pay. What’s worse is that the Wall Street Journal reports documented that with a passcode, a thief or attacker could initiate an Apple Account reset, allowing them to hijack your account, change its password, and render it inaccessible to you—perhaps forever! (Apple is being sued about recovering such stolen accounts.)

Now, it’s unclear how many people suffered this kind of crime. It might have been dozens or hundreds—maybe it was thousands? There’s no comprehensive law-enforcement data, and Apple has offered no insight. Stolen Device Protection can cause minor to major inconveniences, depending on which features you can’t use for an hour, so I assume Apple found the issue significant enough to roll it out in 2024—and to push people to enable it in 2026, if not enable it for them.

Note that this remains an iPhone-only feature, even though an iPad could be exploited the same way. I have to infer either that Apple has had almost no reports of exploitation via iPad passcode theft, or that they are balancing the average iPad user who is out and about with that device against the complexity of managing Stolen Device Protection.

If you have Stolen Device Protection enabled or want to, let’s go over what that entails.

Manage Stolen Device Protection

Screenshot of Stolen Device Protection settings
With Stolen Device Protection enabled, you can opt to have Security Delay in place only when you’re not in a so-called familiar place.

On your iPhone, go to Settings: Privacy & Security: Stolen Device Protection. If it’s disabled and you want to turn it on, you will be unable to do so if you don’t meet a number of requirements:

  • Two-factor authentication on Apple Account: Nearly everyone has enabled this, or Apple has upgraded them to it.
  • iPhone passcode: If you don’t have a passcode, I’m not sure we should be friends anymore.
  • Biometrics: Face ID must be enabled; or, with older iPhones, Touch ID.
  • Significant Locations: A slightly obscure feature, you find this in Settings: Privacy & Security: Location Services: System Services: Significant Locations & Routes.1 Apple stores this information only on your devices, and uses end-to-end encryption to sync the data among them.2 You can’t view these locations—only see a few recent ones, and a total number of stored records. You can tap Clear History and confirm to remove them.
  • Find My: Find My has to be enabled on your iPhone, and it can’t be turned off as long as Stolen Device Protection remains on.

Once enabled, you see two options: Away from Familiar Locations and Always. Familiar Locations ostensibly leans on Significant Locations, but I’ll warn you that I have, on multiple occasions, been in my home, a place I spent a significant majority of my time, and was told by Stolen Device Protection that I wasn’t in a familiar location.

Screenshot of Significant Locations & and Routes, showing the setting on and a small map with one of the recent locations.
Significant Locations tracks where you spend time, but I have only visited the location shown once and don’t plan to return.

When you try to carry out certain actions, that’s when the protection kicks in. There are two kinds of deterrence:3

  • Biometrics required (always): If you try to use stored passwords or passkeys from the Passwords app, view the virtual card number assigned to an Apple Card or Apple Cash, or try to disable Lost Mode in Find My, among other actions, you must use Face ID or Touch ID. A password won’t suffice. If someone stole your passcode and iPhone, they don’t have your face or fingertip.4
  • Security Delay: For other tasks, a one-hour countdown timer starts if you have Always enabled or set to Away from Familiar Locations and are in such a place. At the end of that timer, you must use Face ID or Touch ID before proceeding. This includes updating your Apple Account password or signing out of Apple Account on the device, turning off Stolen Device Protection (a little meta, there), or adding or removing Face ID or Touch ID. This makes it much harder for a thief to perform any critical action. In case of drugging, that has sometimes included still being in proximity of the person—why not add light kidnapping to assault?—but that appears to be rare.

I suspect that with Stolen Device Protection, a thief flings the iPhone away as soon as possible, except in even rarer circumstances than the above.

If you’re not typically in environments in which you might be at risk of the specific kind of theft or violence discussed above, Stolen Device Protection can be overkill and a pain. As noted above, I do spend most of my time at my house, working from a home office, and I avoid crowded bars and other venues.

However, if you like the additional protection and are willing to deal with the timeout or location-based iffiness of Stolen Device Protection, turn it on and give it a try, if Apple hasn’t already done so for you or snookered you into it. And you can always turn it off—it just might take an hour.

For further reading

I write about all sorts of security and protection, mostly focused on people having physical proximity to your devices, in Take Control of Securing Your Apple Devices.

[Got a question for the column? You can email glenn@sixcolors.com or use /glenn in our subscriber-only Discord community.]

  1. Prior to iOS 26, the label was just Significant Locations, as Apple didn’t track your routes locally. 
  2. I would love to know why a 7-Eleven I parked near a few days ago appears Significant to my iPhone. I’ve never visited it before. 
  3. See Apple’s support note on Stolen Device Protection for the full list of activities that require biometric authentication, and the ones that have a delay before you can use biometric ID to proceed. 
  4. At least I hope not. 

[Glenn Fleishman is a printing and comics historian, Jeopardy champion, and serial Kickstarterer. His latest book, which you can pre-order, is Flong Time, No See. Recent books are Six Centuries of Type & Printing and How Comics Are Made.]

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.

Search Six Colors

Six Colors® is copyright © 2026 by The Incomparable Inc.
Powered by WordPress | Hosted by Pressable