Apple has rolled out a critical security enhancement in iOS 26 that directly addresses a significant vulnerability in digital identity theft. The update hardens the security of eSIMs by making biometric authentication mandatory for transfers when Stolen Device Protection is active.
This surgical change effectively closes a loophole that allowed thieves with a stolen iPhone and its passcode to hijack a victim’s phone number, a crucial step in taking over their entire digital life.
Closing a Critical Security Gap
Your phone number often serves as the master key to your online accounts, used for password resets and two-factor authentication codes. A common theft scenario involves a criminal observing a victim enter their passcode before stealing their device.
With both the iPhone and the code, the thief could previously use the eSIM Quick Transfer feature to move the victim’s phone number to a device they control. This SIM-swap attack is the gateway to intercepting security codes and compromising everything from bank accounts to email.
With the release of iOS 26, Apple has neutralized this specific attack vector. When a user has Stolen Device Protection enabled, any attempt to initiate an eSIM Quick Transfer will now require a successful Face ID or Touch ID scan. Crucially, the system no longer offers a passcode as a fallback option for this sensitive action, making a stolen passcode worthless for hijacking the phone number through this method.
How It Works with Stolen Device Protection
This new security measure is not a standalone setting but rather an integral extension of the Stolen Device Protection (SDP) framework. Introduced in a previous update, SDP is designed to protect users if their iPhone is stolen and the thief also knows the passcode.
When enabled, it requires biometrics for sensitive actions like accessing saved passwords or changing security settings, often adding a time delay for extra security when away from familiar locations.
The eSIM transfer process is now officially part of this protected set of actions. To benefit from this feature, users must have Stolen Device Protection turned on in their Face ID & Passcode settings. Once active, the user experience is seamless but far more secure. The transfer prompt will simply ask for a biometric scan, and without it, the process cannot continue.
Practical Implications for iPhone Users
For the vast majority of users, this change adds a powerful layer of security with minimal friction. However, it underscores the importance of maintaining good digital hygiene.
All users should ensure Stolen Device Protection is enabled. It is also more critical than ever to have a strong, unique PIN set with your cellular carrier and to store recovery information securely. In a scenario where Face ID or Touch ID is non-functional, a user would need to rely on their carrier’s verification procedures to move their line.
Furthermore, this change reinforces the recommendation to use app-based 2FA (like authenticator apps) over SMS-based codes for critical accounts. While this iOS 26 update hardens the device against a physical attack, app-based authentication remains the gold standard, as it is not tied to your phone number’s security.
By binding the high-stakes action of an eSIM transfer directly to a user’s biometrics, Apple has made a targeted and impactful change. This removes the passcode as a single point of failure and makes it substantially harder for criminals to escalate from a simple device theft to a full-scale identity compromise, ensuring your phone number remains securely yours.
