In response to some interesting reporting from Joanna Stern on how thieves are shoulder-surfing their victims’ iPhone passcodes and get all of the keys to their iCloud kingdom, I posted a silly solution to this problem on Mastodon…and then realized it may not be that silly after all.

Some backstory: there's an MMORPG called RuneScape that, to my eye, essentially solved the problem of “shoulder-surfing” passcodes way back in 2005 with how they implement player bank PINs. As you enter your 4-digit bank PIN, the number placement randomizes after each digit (and the digit’s placement on the tile itself shuffles as well) — making quickly determining the sequence of digits just from mouse placement extremely challenging. With just a bit of added friction, Jagex adds a considerable layer of protection on players’ Bandos sets, GP stacks, and party hats from any would-be hackers.

So, too, could Apple protect the photos, credit cards, and iCloud accounts of people entering their iPhone passcode (regardless of length!) by deploying a similar solution to the iPhone lock screen — even just optionally for the most security-conscious. Honestly, I would turn it on immediately if for no other reason than that FaceID almost always works for me…and on the rare occasion when I need to enter my passcode, the benefit this added friction outweighs the annoyance. Sure, Apple needs to resolve other issues pointed out in Stern’s reporting (dear God, why is my passcode sufficient to reset my iCloud password?!) — but any extra layer of protection (even optional) on what is almost certainly one’s most-precious device seems like a no-brainer to me.