Apple is preparing a security-focused update with iOS 26.4, and this time the company is not asking users to opt in because Stolen Device Protection will automatically turn on for every iPhone after installing the update, which means the phone now protects sensitive data even if someone learns your passcode and physically takes the device.
The change targets a real-world theft pattern where attackers watched victims unlock their phones in public and then stole the device to access banking apps, saved passwords, and account settings, so Apple redesigned the behavior of key system actions to depend on biometrics instead of only the passcode.
According to Apple’s support documentation, “Some features and actions have additional security requirements when your iPhone is away from familiar locations such as home or work.” The company adds that biometric checks ensure only the owner can make critical changes.
What the protection actually does
Once active, the iPhone blocks many sensitive actions unless Face ID or Touch ID confirms identity, and there is no passcode fallback for these actions:
- View saved passwords and passkeys in iCloud Keychain
- Apply for a new Apple Card or view the virtual card
- Turn off Lost Mode
- Erase all content and settings
- Use payment methods saved in Safari
- Set up a new device using the iPhone
- Certain Apple Cash and Wallet changes
For deeper account changes, the system forces a one-hour delay and asks for two biometric confirmations:
- Change Apple ID password
- Change iPhone passcode
- Turn off Find My
- Add or remove trusted devices or recovery contacts
- Disable Stolen Device Protection
This delay stops thieves who rush to lock owners out of accounts.
How to disable Stolen Device Protection
You can still turn it off manually if the restrictions bother you:
- Open Settings
- Tap Face ID & Passcode
- Enter your passcode
- Tap Stolen Device Protection
- Toggle it off
You can also allow full access at familiar locations like home while keeping protection outside.
Before iOS 26.4, users had to enable this feature manually, and many ignored it because of the extra authentication steps, but Apple now treats the trade-off as worth it and ships the feature active by default, while the update itself is currently limited to developers with a public beta expected soon and a wider release planned for spring.