The short version: the three highest-leverage security improvements most iPhone users haven't made are (1) switching from SMS-based two-factor authentication to an authenticator app or passkeys, (2) enabling iCloud Advanced Data Protection so your backups are end-to-end encrypted, and (3) adding network-level threat protection to block phishing domains before they load. Everything else in this guide matters too, but those three address the attack vectors that actually succeed against real iPhone users in 2026 — credential theft, iCloud backup access, and phishing links.
Security measures ranked: impact, threat addressed, and setup difficulty
| Security measure | What it protects against | Setup difficulty | Impact |
|---|---|---|---|
| App-based 2FA / passkeys | SIM swap attacks, SMS interception, credential stuffing | Moderate (10-20 min for key accounts) | Critical |
| iCloud Advanced Data Protection | iCloud data access by Apple, law enforcement, or attackers with your Apple ID | Easy (one toggle, recovery key setup) | High |
| Network-level threat protection | Phishing domains, malware C2, hostile WiFi, zero-day phishing | Easy (install app, tap connect) | High |
| App permission audit | Excessive data access by apps, stalkerware, data broker collection | Easy (5-minute review) | Medium-High |
| Device session review | Unauthorized account access, forgotten active sessions | Easy (5-minute review) | Medium |
| Stolen Device Protection | Physical theft with observed passcode | Easy (one toggle) | Medium |
| Lockdown Mode | Zero-day exploits, state-sponsored spyware | Easy (one toggle, major UX trade-offs) | Critical (for targeted individuals) / Low (for most users) |
| Automatic updates enabled | Known exploits, unpatched vulnerabilities | Trivial (one toggle) | Critical |
Let's go through each measure in detail — what it does, why it matters, and exactly how to set it up.
Switch from SMS two-factor to authenticator apps or passkeys
This is the single most important security change most people haven't made. SMS-based two-factor authentication (where you receive a text message with a verification code) is vulnerable to SIM swap attacks, SS7 network interception, and social engineering of carrier support staff. These aren't theoretical attacks — the FBI's Internet Crime Complaint Center documented over $68 million in SIM swap losses in 2023 alone, and the number has grown since. When an attacker ports your phone number to a SIM they control, every SMS-based 2FA code goes to them instead of you. Your email, bank, social media — any account protected only by SMS 2FA becomes accessible.
What to use instead: an authenticator app generates time-based one-time passwords (TOTP) on your device. The codes are generated locally using a shared secret that was established during setup — no SMS, no carrier, no SIM to swap. Apple's built-in authenticator (Settings > Passwords, then tap an account > Set Up Verification Code) works well and auto-fills codes in Safari. Third-party options include 1Password, Authy, and Google Authenticator. Any of these is dramatically more secure than SMS.
Even better — passkeys: passkeys are the FIDO2/WebAuthn standard built into iOS 16+. They replace both passwords and 2FA codes with a cryptographic key pair stored in your iCloud Keychain. You authenticate with Face ID or Touch ID — no password to phish, no code to intercept. Major services (Google, Apple, Microsoft, GitHub, Amazon, PayPal) now support passkeys. When a service offers passkey support, use it — it eliminates the entire category of credential theft attacks. The FIDO Alliance's passkey documentation covers the full list of supporting services.
Which accounts to prioritize: start with your email (it's the master key — most password resets go through email), then your Apple ID, then banking and financial accounts, then social media. Your email account is the most critical because compromising it enables the attacker to reset passwords on everything else. If you only switch one account from SMS to authenticator-based 2FA, make it your primary email.
The carrier PIN: while switching to app-based 2FA, also set a strong PIN on your mobile carrier account. This doesn't replace the 2FA switch, but it adds a layer of defense against SIM swap social engineering. Call your carrier or use their app to set a PIN/passphrase that's required for any account changes including SIM swaps. Don't use your birthday or the last four of your SSN — those are trivially guessable.
Enable iCloud Advanced Data Protection
By default, iCloud backups are encrypted in transit and at rest, but Apple holds the encryption keys. This means Apple can (and has been compelled to, via court order) decrypt your iCloud backups for law enforcement. It also means that if an attacker gains access to your Apple ID, they can download your iCloud backup — including your messages, photos, health data, and Safari history — from the web.
What Advanced Data Protection changes: when you enable Advanced Data Protection (ADP), most iCloud data categories switch to end-to-end encryption. The encryption keys are stored only on your trusted devices — Apple no longer holds a copy. This means Apple cannot decrypt your data, cannot provide it to law enforcement, and an attacker who compromises your Apple ID cannot access the encrypted data without also having one of your trusted devices. The protected categories include: iCloud Backup, Photos, Notes, Reminders, Safari bookmarks, Siri Shortcuts, Voice Memos, Wallet passes, and iCloud Drive.
What's not covered: iCloud Mail, Contacts, and Calendar remain standard-encrypted (not end-to-end) because they need to interoperate with non-Apple email servers, CardDAV, and CalDAV protocols that require server-side access to the data. This is a genuine limitation — your email content is not end-to-end encrypted even with ADP enabled.
How to enable it: Settings > your name > iCloud > Advanced Data Protection > Turn On. iOS will guide you through setting up a recovery key or designating a recovery contact. This step is critical: because Apple no longer holds your keys, if you lose all your trusted devices and don't have your recovery key, your data is permanently inaccessible. Write down the recovery key and store it somewhere physical and secure (a safe, a safe deposit box, a locked drawer — not in a note on your phone or in an email to yourself).
Who should enable this: everyone who stores sensitive data in iCloud and is confident they can safeguard their recovery key. The only reason not to enable ADP is if you're genuinely worried about losing access to your own data — and the recovery key process exists precisely to prevent that. The security benefit is substantial: you're removing Apple's ability to access your data, which also removes any attacker's ability to access it through Apple.
Add network-level threat protection
The majority of successful attacks against iPhone users don't exploit iOS vulnerabilities — they exploit the human. Phishing links arrive via SMS, email, WhatsApp, or social media. The user taps the link, lands on a convincing fake login page, and enters their credentials. Game over. In 2026, AI-generated phishing pages are nearly indistinguishable from legitimate ones — the old advice of "look for spelling mistakes and weird URLs" is no longer reliable.
What network-level protection does: a DNS-based or VPN-based threat filter evaluates every domain your device tries to connect to. When you tap a phishing link, the filter checks the domain against: (1) blocklists of known phishing domains, (2) threat intelligence feeds from security researchers, and (3) ML models trained to identify characteristics of newly-registered phishing domains (unusual registrar, hosting in bulletproof ASNs, domain name patterns that mimic legitimate brands). If the domain is flagged, the connection is blocked before the page loads — you never see the fake login page and never have the opportunity to enter your credentials.
Why this matters beyond Safari: Safari has its own built-in Safe Browsing check (Fraudulent Website Warning), which is good but limited — it checks against Google's Safe Browsing database, which has a lag between when a phishing domain goes live and when it's added to the database. Phishing campaigns increasingly use domains that are live for only 24-72 hours, then rotate. Network-level protection with ML-based detection catches domains that static blocklists haven't indexed yet. And critically, it works outside Safari — phishing links in iMessage, WhatsApp, Slack, email apps, and social media all resolve through DNS before loading, so the filter catches them regardless of which app you tap the link in.
How to set it up: install a VPN-based filtering app. Casper's Cloak combines DNS-level blocking of known threats with AI-based classification of zero-day phishing domains, plus WireGuard tunnel encryption for public WiFi protection. Alternatively, NextDNS and Cloudflare Gateway offer DNS-only threat filtering (without the VPN tunnel). The VPN approach provides both threat blocking and network encryption; DNS-only provides threat blocking without using the VPN slot. For security specifically (not just privacy), the VPN approach is stronger because it also protects against hostile WiFi networks.
What it doesn't protect against: if you manually navigate to a legitimate site, log in with your real credentials, and then that site gets breached — network-level protection can't help with that. It also can't prevent credential stuffing attacks against your accounts if your password was exposed in a previous data breach. For that layer, you need strong unique passwords (use a password manager) and 2FA. Network-level protection is the outermost defense layer; strong authentication is the innermost. You need both.
Audit app permissions and check for unknown device sessions
App permission auditing is simple, fast, and catches things that no automated tool can. Go to Settings > Privacy & Security and review each category: Location Services, Contacts, Calendars, Photos, Microphone, Camera, Bluetooth, Local Network, and Health. For each app listed, ask: does this app need this permission for a function I actually use? A QR code scanner doesn't need your contacts. A recipe app doesn't need your microphone. A game doesn't need your location. Revoke anything that doesn't make sense.
The App Privacy Report: Settings > Privacy & Security > App Privacy Report shows which apps accessed which sensitive data types in the past 7 days, and which domains they contacted. This is your audit evidence. If a flashlight app accessed your location 847 times in the past week, that's a red flag worth investigating — either the app is collecting data for advertising, or it's doing something worse. The App Privacy Report doesn't block anything, but it gives you the information to make blocking decisions.
Check for unknown device sessions: your most critical accounts — Apple ID, Google, email, banking — allow you to view active sessions (devices currently logged in). For Apple ID: Settings > your name > scroll down to see all devices. Any device you don't recognize should be removed immediately (tap it > Remove from Account) and your password should be changed. For Google: myaccount.google.com/device-activity. For major email providers and banks, check their security or session management pages. An unknown active session is one of the strongest indicators of account compromise — it means someone else has authenticated as you and hasn't been logged out.
How often to do this: a thorough permission audit takes about 5 minutes and should be done every 2-3 months. Device session checks should be done monthly, or immediately if you notice anything suspicious (unexpected 2FA codes, password reset emails you didn't request, account activity from unfamiliar locations). We covered the full diagnostic framework in our guide on how to know if your phone is hacked.
Stolen Device Protection and physical security
Stolen Device Protection, introduced in iOS 17.3, addresses a specific attack: a thief observes you entering your passcode (shoulder surfing in a bar, on public transit, in a coffee shop), then steals your phone. Without Stolen Device Protection, the thief can use that passcode to: change your Apple ID password, disable Find My iPhone, access your passwords in Keychain, and lock you out of your own account. With Stolen Device Protection enabled, sensitive operations require Face ID or Touch ID (passcode alone isn't sufficient) and some operations have a mandatory one-hour delay when performed away from familiar locations.
How to enable it: Settings > Face ID & Passcode > enter your passcode > Stolen Device Protection > toggle on. Choose between "Always" (delays apply everywhere) or "Away from Familiar Locations" (delays only apply away from home and work). The "Away from Familiar Locations" option is more convenient — it doesn't add friction in your daily life but activates the security measures in the scenarios where theft is most likely.
The passcode itself matters: if your passcode is 000000 or 123456, Stolen Device Protection helps but you're still working with a weak foundation. Switch to a 6-digit numeric passcode at minimum, or an alphanumeric passcode for stronger security. Since you unlock with Face ID 99% of the time, the inconvenience of a longer passcode is minimal — you only type it after restart, after 48 hours without unlock, or when Face ID fails repeatedly. Go to Settings > Face ID & Passcode > Change Passcode > Passcode Options > Custom Alphanumeric Code.
Lockdown Mode: when the threat model justifies it
Lockdown Mode dramatically reduces your iPhone's attack surface by disabling features that sophisticated exploits target. JIT compilation in Safari is disabled (which breaks some complex web apps but eliminates a major exploit class), most message attachment types are blocked, FaceTime calls from unknown contacts are blocked, wired connections require the device to be unlocked, and configuration profiles can't be installed.
Who needs it: journalists covering authoritarian governments, human rights activists, political dissidents, and anyone with credible reason to believe they're a target of state-sponsored surveillance or mercenary spyware (Pegasus, Predator, Hermit). These individuals face threat actors with budgets to purchase and deploy zero-day exploit chains. Lockdown Mode raises the technical cost of attacking their devices, which may cause the attacker to move to an easier target or use a more expensive (and thus rarer) exploit.
Who doesn't need it: the vast majority of iPhone users. The attacks Lockdown Mode defends against cost six to seven figures per target. Random consumers are not targeted with these tools — the economics don't support it. If your threat model is phishing, account takeover, SIM swaps, or data broker tracking, the other measures in this guide address those directly. Lockdown Mode doesn't help with any of them — it addresses a fundamentally different threat tier.
The trade-offs are real: some websites won't work properly without JIT compilation (complex web apps, some banking sites, Google Docs can be slower). Photo sharing in Messages is limited. Some fonts and PDF features are disabled. If you try it and find the daily friction acceptable for your workflow, there's no downside to keeping it on. But don't enable it thinking it makes you "more secure" against common threats — it doesn't. It makes you more secure against a specific, rare, expensive category of attack.
The complete security hardening checklist
Here's every measure from this guide in setup order. Each step builds on the previous one. The entire process takes 30-45 minutes for the initial setup.
- Enable automatic updates. Settings > General > Software Update > Automatic Updates — turn on everything. This is the foundation — all other security measures assume your OS is current.
- Switch 2FA to authenticator app or passkeys. Start with your email, then Apple ID, then banking, then social media. Use Settings > Passwords for Apple's built-in authenticator, or install 1Password/Authy. Set a carrier PIN while you're at it.
- Enable iCloud Advanced Data Protection. Settings > your name > iCloud > Advanced Data Protection. Write down your recovery key and store it physically. This end-to-end encrypts your iCloud data.
- Install network-level threat protection. Download Casper's Cloak or set up NextDNS. Enable the VPN profile. This blocks phishing domains, malware infrastructure, and encrypts your traffic on any network.
- Audit app permissions. Settings > Privacy & Security — review Location, Microphone, Camera, Contacts, Photos. Revoke anything unnecessary. Check the App Privacy Report for apps contacting excessive tracking domains.
- Review device sessions. Settings > your name > scroll to devices. Remove any you don't recognize. Check Google, email, and banking accounts for unknown active sessions.
- Enable Stolen Device Protection. Settings > Face ID & Passcode > Stolen Device Protection > toggle on. Choose "Away from Familiar Locations" for the best convenience/security balance.
- Upgrade your passcode. Settings > Face ID & Passcode > Change Passcode > Custom Alphanumeric Code. Since you use Face ID daily, the longer passcode only matters in the rare cases where it's needed — and in those cases, strength matters.
- Evaluate Lockdown Mode (if your threat model warrants it). Settings > Privacy & Security > Lockdown Mode. Only for individuals facing targeted, state-level threats.
What this setup protects against — and what it doesn't
With all of the above in place, you're protected against: SIM swap attacks (authenticator-based 2FA), iCloud backup theft (Advanced Data Protection), phishing link attacks (network-level threat blocking), physical device theft with observed passcode (Stolen Device Protection), excessive app data collection (permission audit), and known exploit chains (automatic updates).
What remains: no configuration makes you invulnerable. Social engineering attacks where someone convinces you to voluntarily share credentials or authorize access still work — technology can reduce the surface area for these attacks but can't eliminate them if you cooperate with the attacker. Data breaches at services you use expose whatever data you gave them, regardless of your device configuration. First-party tracking by services you're logged into (Google, Meta, Amazon) continues because you're voluntarily authenticated. And zero-day exploits — while Lockdown Mode raises the cost — exist because no software is provably bug-free.
The honest framing: security is about raising the cost and reducing the probability of successful attacks. Each measure in this guide eliminates or mitigates a specific, real attack vector. Stacked together, they make an iPhone very difficult to compromise through any vector short of state-level resources. The remaining risk is managed through awareness and behavior — being skeptical of unexpected messages, not sharing credentials over the phone, and monitoring your accounts for unauthorized activity.
Bottom line
The basics — passcode, Face ID, Find My iPhone — are necessary but not sufficient. The measures that make a meaningful difference beyond the basics are: authenticator-based or passkey-based 2FA (defeats the credential theft attacks that actually succeed), iCloud Advanced Data Protection (end-to-end encrypts the most valuable target — your cloud backups), and network-level threat protection (blocks phishing domains before you can interact with them). Add a permission audit, device session review, and Stolen Device Protection, and you've addressed every major attack vector that affects real iPhone users in 2026. The full setup takes 30-45 minutes. The security improvement is substantial.