Recently both Apple and Google have come under fire because of a setting that allows a person to reset the respective account for a phone once the phone is unlocked.
The android particulars are that you can use your unlock method to pass a challenge that lets you reset your Google password. This would allow someone who has your phone access to your Google account if they know how to unlock your phone. Of course, they had to know how to unlock your phone to even get there.
Many people feel like this is a bug or a flaw. It's not. I'm not too fond of the idea of automatically making every phone I'm signed into a trusted device, but this is a convenience setting and not a bug. To Google what's more important is keeping others out of your phone and personal business, than making everything more accessible once you have logged in. It's a typical trade-off between convenience and security and we see it everywhere in all companies.
Basically, you can use features like this to help you keep track of everything or you can try and manage it all yourself with no help from your phone. Google knows which way is easier, and in the end, what is easy is what we'll use and thus it's more secure.
It all boils down to one thing — you need to have a strong screen lock.
Nobody can tell you which screen unlock method is best for you, but as long as you're not relying on Android's face unlock (unless you still use a Pixel 4) it's pretty secure.
Yes, things like a six-digit PIN are more secure than a four-digit PIN, and using a password is even "better" but what works best for you is the method you are willing to use. For most of us, that's a fingerprint and that's good enough.
I know I know, someone could chop off your finger or force you to tap the screen but if faced with the idea of losing a finger most of us would hand over a long complicated password immediately anyway. I would because I like having all of my fingers. I'll also add that a fingerprint is your username and should never be used as something you may need to change like your password. But it's something people will use because it is easy.
No screen lock method is 100% secure 100% of the time but the one you will use 100% of the time is the right one.
Once someone is in your phone changing your Google password isn't the only thing you need to worry about. A person with access to your phone has access to your email (which can also be used to reset your Google account password) your bank app which probably uses SMS or email to authenticate, your Amazon account and the associated payment methods, and anything else that requires a password that's cached to make it easy and fast to sign in.
That pesky convenience versus security thing is everywhere, especially in your web browser. Again — it's assumed that you control access to the actual device and that you're using a strong unlocking method. Do you really want to have to log into Gmail or Twitter or Facebook every time you open the app? No, you don't. Even I don't.
I don't expect Google or Apple to change things so you can no longer use your phone to pass a security challenge. In fact, I see things moving in the other direction now that your phone is also a two-factor authentication key. As for what we need to do nothing has changed.
- Use a good password that has upper and lower case letters, numbers, and a special symbol like & or } or two for accounts that are able to be set with a password.
- Use a different password for everything.
- Change your passwords regularly.
- Use 2FA with every service that lets you.
- Use a password manager if you need one.
- Make sure your screen lock isn't easy to bypass.
One last bit of advice and a thing to remember is that Apple and Google have excellent software that lets you track and remotely erase a lost or stolen phone.
Make sure you try it at least once so you know it's working and don't be afraid to use it to wipe a lost phone once you're sure it's lost or stolen and not just down in the space beside your car seat or in your desk at work.
Phone security isn't hard and you don't have to be anyone special to need it. Someone will always be happy to drain the last $80 out of your bank or run your credit card up via Amazon if they can.
