Skip to content
Naked Security Naked Security

iOS 9 enhances two factor authentication, introduces 6-digit passcodes

Apple announced on Monday that iOS 9 will have native two-factor authentication as well as (slightly) more secure passcodes.

Apple. Image courtesy of Lester Balajadia/Shutterstock

Amid the vast array of changes announced for iOS 9, Apple has included two enhancements for security – the introduction of 6-digit “simple passcodes”, as well as two factor authentication (2FA) that is built into the operating system.

The change from 4-digit passcodes (which can still be used, even though we wouldn’t suggest it) to the lengthier alternative is significant because it greatly increases the number of possible combinations, raising the total from just 10,000 to a far healthier 1 million, a change Apple says will make passcodes “a lot tougher to crack”.

While brute-forcing an iOS device sounds unlikely, it is possible, as we learned back in March with the news of a Black Box designed for doing exactly that.

With the ability to power down an iPhone before it could add to the failed passcode attempt count (you can set your iDevice to erase itself after 10 failed attempts), the device could endlessly guess passcodes until it found the correct one.

As part of the article we wrote at the time, Paul Ducklin explained how a determined cracker could break a 4-digit passcode in less than 5 days, assuming that the device didn’t erase itself along the way. 

With a 6-digit passcode increasing that one hundredfold, the amount of time required would increase to more than a year, which is probably sufficient to dissuade all but the most determined of PIN bashers.

Nevertheless, as part of our 10 tips for securing your smartphone guide, we suggest treating 6 digits as an absolute minimum, and we also recommend that you consider a passphrase (allowing you to use both letter and numbers for greater variety) instead.

→ We explain how to choose and set passcodes (and the equally important lock-screen timeouts) in our recent article Why you shouldn’t worry about privacy and security on your phone.

Besides passcodes, Apple will also be improving two-factor authentication with the release of iOS 9, saying:

A password alone is not always enough to keep your account secure. With two-factor authentication, when you sign in from a new browser or on a new device, you’ll be prompted for a verification code. This code is automatically displayed on your other Apple devices or sent to your phone. Enter the code and you’re quickly signed in — and any unauthorized users are kept out.

The company originally introduced 2FA in March 2013 – but only for some types of accounts – before later adding support for iCloud and subsequently also for iMessage and FaceTime.

Further details are sketchy right now but the company has revealed that two-factor authentication will be integrated within both iOS 9 and OS X 10.11 El Capitan.

Beyond enhanced passcodes and two-factor authentication it looks as though Apple will also be introducing at least one other interesting feature.

An image on the iOS 9 preview page shows a pop-up box warning warning the user that their iPhone Apple ID is being used to sign in from another device – in this case another iPhone – and gives the option to allow or block it. The prompt also advises which account is being accessed as well as providing a map to show where the second login is coming from, too.

Apple screenshot

Such a scheme could be useful for parents who allow their children to share their accounts, allowing them to quickly determine whether the attempted account access is coming from a person and device they trust or a potentially malicious third party.

Interestingly, these changes come at a time when governments and civil rights groups continue to debate the topic of encryption and how it applies to devices such as those manufactured and marketed by Apple.

Politicians such as US President Obama and British Prime Minister David Cameron appear to want to do away with consumer-level encryption, complaining that it makes tracking terrorists and criminals that much harder.

Meanwhile, the tech industry continues to lobby for the rights of its customers, something Apple itself began championing last year when it published a new privacy promise in which it declared it no longer had the ability to bypass the passcode on any of its devices running iOS 8 or later.

Image of Apple logo courtesy of Lester Balajadia /


They still haven’t added Bio-metrics + PIN/PW?

I know. I know. The fingerprint scanner can be “easily” fooled. But why is this still not a thing?

I contacted them, with the release of the iPhone 5, about this… It isn’t for everyone, but for those who want a more secure device… why not? How difficult would it be to require the fingerprint + the PIN? (reserving a PW fail safe (probably AppleID) for fingerprint ID failure)

You could already increase the PIN, by using the regular PW and just using numbers. I don’t really understand what this change does. If the 4-digit PIN is still an option, the status quo hasn’t changed.

Mixing Bio-metrics with a PIN/PW makes everything that much more difficult to crack. It combines two forms of identifiers. (Who you are and what you know.)

The 2FA changes are situational. For singles, how many carry two devices on them at all times? Sure, it is fine at home or maybe the office. It works for parents with concerns over their child’s usage. Or couples (when they’re physically at the same location), but what if you’re cities apart?

I’d much rather have my device check my fingerprint, to authorize entering the PIN/PW, and upon repeated failure (just prior to wiping the device.. since that is my setting) ask for the complex AppleID password associated with the device.

I don’t understand the “Ooh-rah” and pat on the back, over adding two digits to the PIN.. especially when it is optional AND anyone inclined to do so, already had that option.


I completely agree with this, even though I’m not an Apple user.

I love the idea of finger print authentication, but not if it’s fingerprint OR pin.

As you said, something you have AND something you know.

Unlikely situation, but say you’re attacked and knocked unconscious. They can use your fingerprint to unlock the device and they’re in.

Also I can never login with Facebook to post my comments. I always get “login expired”. Can you please check this?


Hi Shaun, Sorry to hear about the comments issue. We’ll look into it and will let you know when it’s fixed.


Dear Lee

Thank you for your excellent article.

Since my only device these days is an iPad……..due to retiring my old lap top as it was windows XP!………….I always am excited when I read news of new updates or other features from Apple.

Whilst I changed to a longer passcode some time ago due to knowledge acquired from Naked Security, some of my friends have been using the basic passcode. One friend I saw today told me that this article gave her the nudge to remember to make the change to a more complex passcode.

So I think if just one person is helped for the better with this article…….Well, that to me is a win!

I’m excited by this article and in particular I understand with the update all Apple users will be operating with a more complex or at least longer passcode.

I also love the idea of that pop- up box warning. Fantastic!

With sincerest wishes



Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!