Security, like privacy, is always at war with convenience. You want to be able to get to all of your stuff, all the time, as quickly and easily as possible, but you don't want anyone else to get to any of it, at all ever. But the easier you make it for you, the easier you make it for them. And the harder you make it for them, the harder you make it for you. Touch ID, Face ID, iCloud Keychain, AutoFill — there are tools Apple and others provide to try to better balance security and convenience, but they all have their trade-offs.
You might think that's just great. You have nothing to hide on your phone or tablet or computer, so if you can keep casual snoopers out but still get in right quick, so much the better. If that's cool, keep it cool.
If you have a real or philosophical need to lock your tech down stronger, better, smarter, longer…. If you think your phone is the closest thing to a digital brain, extra-cranial storage, and cybernetics that currently exist and should be afforded the same rights against self-incrimination that biological memory enjoys, or if you have medical, legal, clergical, or journalistic information on it that can simply never fall into any unauthorized hands, then I've got some tips for you.
Just to be clear — these aren't privacy tips. I've covered those in a previous video. These are security. These are ways to not to prevent leaks but to lock everything down so only you can get to it — barely.
Use a password instead of a passcode
4 digit passcodes are like no passcode at all. 6 digit passcodes are better but not significantly. If you want to really lock down your device, use an alphanumeric passcode. Thanks to Touch ID or Face ID, you won't need to enter it unless you reboot, fail 5 times, or don't authenticate for 48 hours. Or, you know, Touch ID or Face ID fails you…
You can switch to a password by going to Settings > Touch ID or Face ID & Passcode > Change Passcode > Enter you old Passcode > then tap Passcode options and Custom Alphanumeric Code.
Enter your code. Fill it with upper case, lower case, numbers, and symbols, and make it as long as you can remember. You'll be entering it often enough that it should become muscle memory for you, but almost impossible for even one of those code-breaker boxes to brute force before the heat death of the known universe.
Disable Biometrics occasionally or fully
Security is complex. You want defense in depth. A password is something you know. Biometrics is something you are. Your fingerprint. Your facial geometry. It lets you get in without having to type anything, but it can also be used against you. If you fall asleep or restrained, your finger can be touched the sensor. Likewise your face to a camera.
If you're traveling in an area or going into or across a location you don't trust, you can temporarily disable biometrics by holding down either volume button and the side button on your phone.
Squeeze for a second, and you're back in pre-board mode: Nothing but your newly strong alphanumeric password will let you or anyone else back in. Keep holding it, and it'll sound an alarm and call 911 or the equivalent number in your area.
If you're really concerned, you can even go into Settings > Touch ID or Face ID & Passcode > and turn off Touch ID or Face ID while you're crossing a border, going through a security checkpoint, or traveling through a potentially problematic area. Then, when you're done, you can re-register your fingerprint or face for everyday use again.
You can also turn off AutoFill, if you usually keep it on, so none of your data is offered up even if someone, somehow, gets your device unlocked.
Extreme? Maybe. Extremely careful, definitely.
Turn on (real) two-factor
A password is something you know. Biometrics is something you are. Two-factor is something you have. By turning two-factor authentication on, you reduce the risk of someone breaking not into your phone but into the data accounts you have on your phone — iCloud, Google, Dropbox, etc.
It means that, if you made the mistake of using the same password for multiple services or using an easily guessable or researchable password — things you should never, not ever do — and someone gets a hold of it through hacking or social engineering, they still can't get into your account because they only have the first factor, not the second.
Now, not all two factors are created equal. Physical tokens like security keys are the best, but not every service supports them. Virtual tokens are in the middle. SMS tokens are the worst. So bad, I'm always tempted to avoid them completely.
If your service offers a physical or virtual token, though, use it. You typically only have to enter it once per device or browser, but so will anyone else as well. And they won't have it.
Secure your backups
Backups are great. Everyone should have them. But they're better for keeping your data safe than keeping it secure. I already did a while video on explaining the difference between people who need to protect their data from loss vs. theft, so I'll link to it below.
For most people, most of the time, just turn on automatic cloud backups and leave them on. If you're less worried about keeping copies of your photos and documents, and more worried about someone else seeing your photos and documents, you're going to want to be careful about where and how you back up.
Backing up to the cloud… the cloud just means someone else's computer. And a copy of your data on someone else's computer means, theoretically, someone else can get to it.
If you want to avoid that, make local backups instead. It's not automatic. It takes more work to do them and even more work to keep copies off-site. But, plugging your device into your computer and making an encrypted copy means no one else can go anywhere else to get that data, and even if they come to you, without the password it's just pseudo-random gibberish.
There's a lot more to security than just locking things down. It's less a state of data and more a state of mind. Never clicking on links you get in email or through messaging services. Never giving your password to technicians, real or pretend, on the phone or at service centers. Avoiding apps and services that want your logins, both legitimate and scams.
It can be a real pain, but once you know your own comfort level — and threat level — you can make the best, most informed decision for you.