TL;DR
Turn ON multi-factor authentication (MFA) for all accounts supporting it.
Turn ON Face ID and auto-lock for every single app that supports it.
Turn OFF Face ID for unlocking phone (access home screen).
Turn OFF email “MFA” wherever possible (it’s not MFA).
Record hard copy recovery codes in a consolidated place.
Move over authenticator app codes to new phone.
Memorize your iCloud password.
Summary
Welcome to 2024! At the end of last year, I bought a new iPhone and went through my annual personal security audit. Focusing on my mobile device, I’ll go through the steps I took and provide the security rationale for them.
1. Turn on MFA for all accounts supporting it
This should be an obvious one, but I always find that I have missed MFA for an application or two, or that it was not previously supported and now is. Frankly, it still amazes me how many sites don’t offer this (or even an OAuth login option using Google, etc.).
2. Turn on Face ID and auto-lock for every single app that supports it
I turn on Face ID for all applications (especially financial ones, etc.) in case my unlocked phone gets grabbed from my hands. That’s because thieves are getting very savvy and understand under what circumstances they can access your data.
And logging into every app isn’t a huge pain when using FaceID.
Unfortunately, the default Apple Mail app, and many MFA authenticator code app, do not support use of FaceID. That’s why I use a special email account and service for password resets, whose app does support this key feature.
3. Turn off Face ID for unlocking my phone (access home screen).
I turn off Face ID for unlocking my phone because I don’t want it to be unlockable without my conscious involvement (it only accepts my code). This is dependent on personal preference and your threat model. I wouldn’t begrudge you if you turned Face ID on here.
4. Turn off email “MFA” wherever possible (since it's not MFA) and where there are other options
Many apps, including those of financial institutions, allow or even rely solely on what they call “MFA” but is really single-factor authentication: sending you an email to confirm your login. This is certainly better than nothing, but it isn’t really that great because someone who has access to your email could just reset your password and then request a verification code to the email address.
Thus, wherever I have better options (authenticator apps, SMS, etc.) I disable the ability to use email verification.
If it’s the only option, then I keep it on.
5. Record hard copy recovery codes in a consolidated place
When you configure MFA on many apps, at the end they will give you one or more one-time use codes that can allow you to log in if you ever loose your MFA device(s). I print these out and store them in a secure physical location. I wouldn’t recommend traveling with these, as there isn’t really any way to protect them from disclosure while on the move. And you would likely need to carry a whole book of them around.
6. Move over authenticator app codes to my new phone.
This one is tricky, because most services that support MFA do NOT support multiple devices.
If you don’t plan carefully, losing your phone could potential be a (digital) extinction-level event because you'll get locked out of your accounts. Even if you have a recovery code at home, you’ll be out of luck if you are on the go. The trick is to get at least one secure backup device (like an old phone) with your codes. Here's a hack:
Reset MFA using a normal authenticator app.
Scan the app code using your 1st phone.
Wait for the code to expire normally.
Scan w/ phone 2 (immediately).
Enter MFA code into app.
If you are like me and have a lot of MFA codes, unfortunately this will take a long time. But the good news is that now you’ll have two devices that you can travel with and that both have your MFA codes. Keep the spare in a hotel safe (off or at least locked), and you’ll be able recover from losing your primary.
Things I don’t do with my phone
MFA cloud sync
An alternative option would be to use a cloud sync capability for your MFA codes, like Duo or Google offer, but this exceeds my risk appetite because:
My password manager is halfway to being a single point of failure (but isn’t entirely because of MFA). As we know, these can get breached.
Having a centralized, remotely-accessible repository of my MFA codes is also halfway to being a single point of failure.
Using creative math, combining them creates a single point of failure.
Use hardware keys
I know some folks use Ubikeys or similar hardware security devices. I agree these are the most secure option due to the fact they are phishing-resistant. But I view the likelihood of loss to be too high and my data availability needs are more important for me. I view getting locked out of my data due to lost keys is an unacceptable risk.
Additionally, I feel like the likelihood of me getting tricked into sending my MFA code to a malicious actor is low and I don’t generally use push alerts so it’s unlikely I’ll get fatigued into approving.
The risk of loss also has confidentiality and integrity concerns.
Your iPhone has an extremely resilient geolocation capability and thieves are likely to try to extract as much data as possible (hopefully little to none if you follow the above) and then quickly ditch it. Hardware security devices, however, have no inherent geolocation capability and anyone who recovers one would be able to attempt to exploit it at his leisure.
Again, personal choice here.
Lockdown mode
This is is too extreme for me. And that’s how Apple describes it:
Lockdown Mode is an optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats. Most people are never targeted by attacks of this nature.
By blocking certain types of attachments and inbound transmissions, it could conceivably reduce the effectiveness of zero-click and sophisticated social engineering attacks. But I don’t think I’m important enough to use one of these exotic vectors against, so the reduction in functionality is too much of a sacrifice for me.
7. Memorize your iCloud password
It should be long, but if your device gets stolen you'll need your password handy to locate, lock, or wipe your device (you don't need MFA to do these things).
This is one of the few exceptions in terms of password complexity: because you’ll need to remember it, it can’t be a random set of alphanumeric characters. Compensate by making it very long.
Being friends with a few cops, I know that 99% of the time someone comes up to them saying “someone stole my iPhone!” the victim doesn't remember their password so the police cannot geo-locate it immediately (they can later but this requires working with Apple and by that time a lot of damage can be done through account takeover, etc.).
Thanks to everyone who commented on my LinkedIn post on this topic. I have expanded on it here to address some of the common questions and suggestions.
I do prefer email MFA over SMS MFA. I feel I have more control over my email access than the customer service at my cell phone provider.