On Sunday morning, I received an early phone call from the son of a client, informing me that his father, my client, had passed away. It was sad news, but not shocking; he had been ill for some time. The primary reason for calling me, however, wasn’t just to inform me of the loss. The son was locked out of his father’s iPhone, where critical documents and photos were kept. And despite having worked with me earlier to document his passwords for services like Netflix and Gmail, my client never shared with me the PIN to unlock his iPhone.
When we set up devices like smartphones, we are typically asked to enter a small (usually 4- to 6-digit) sequence of numbers. This is our Personal Identification Number (PIN), required to unlock the phone. Newer models add to this security by incorporating biometric methods like fingerprints and even facial recognition; but at the end of the day, that PIN is still there, keeping that critical data safe.
For more, here is Apple’s page: “Use a passcode with your iPhone, iPad, or iPod touch.”
In many cases, users can “opt out” of assigning a PIN to their phones; but by default, the step of setting up a PIN is part of the “new phone setup” process. At that point, we just type in whatever number we usually use, and we almost never write that number down.
Don’t laugh; yours probably isn’t that much better.
I have clients who type their PINs so often and so rapidly, the process is now muscle memory. If asked what that number is, they actually have to take a moment to recall it.
Instinctively tapping the keys in the correct pattern may make for a speedy unlocking process, but it does nobody any good if the phone’s owner takes that PIN to the grave.
When Syed Rizwan Farook died in a battle with police following his December 2015 terrorist attack in San Bernardino, the first course of action the police took was to attempt to unlock his iPhone, hoping to learn more about his motivations for killing 14 people and injuring 22 more. Unfortunately, the iPhone’s security measures meant that they would not be able to get in through conventional methods.
From the Wikipedia article on the attack:
On February 9, 2016, the FBI announced that it was unable to unlock one of the mobile phones they had recovered because of the phone’s advanced security features. The phone was an iPhone 5C. … The FBI first asked the National Security Agency to break into the phone, but the NSA was unable to do so. As a result, the FBI asked Apple Inc. to create a new version of the phone’s iOS operating system that could be installed and run in the phone’s random access memory to disable certain security features. Apple declined due to its policy to never undermine the security features of its products.
The struggle between the authorities and Apple led to a public debate over safety vs. privacy, one that continues to this day—despite the FBI eventually employing third-party methods to unlock the phone.
If even the FBI has to undertake extraordinary measures to unlock a phone, it’s not going to be any easier for a layperson—and certainly not a layperson who is also coping with the death of a loved one.
While my client’s son had been led to believe that he may be able to convince Apple to unlock the phone by presenting them with a death certificate, I’m honestly not so sure. This relevant 2013 discussion on the Apple Communities page goes into the details on why the system works the way it does, and why it’s not as simple as having the store “unlock” it, the way they can unlock, for example, a Macintosh computer.
For the record, this is NOT how you get into a Mac without a password.
The lesson here is that a PIN is just as important as every other password you use on a daily basis, if not more so. So when you’re compiling your list of passwords (and here’s my article about how and why to do so), start by writing down all your PINs.
Your loved ones will thank you for sparing them that extra grief.