How to Secure Your Apple ID

    Lock down the Apple Account behind your iPhone, step by step: move it to a private email, set a strong unique password, tighten two-factor, remove recovery contacts, add a recovery key, turn on Advanced Data Protection, close iCloud.com web access, and switch on Stolen Device Protection.

    JDCS
    By Jordan Dickson · Reviewed by CSG Security Engineers

    Updated July 2026 · 8 min read

    Your iPhone runs on your Apple Account (still often called your Apple ID), and it is the master key to far more than the handset in your hand. Anyone who knows the password can sign in at icloud.com in any browser — or set up a spare device — and quietly read your messages, open your photos, see your contacts and follow your location through Find My, with nothing installed on your phone for a scan to find. Locking this one account down is the single most important thing you can do to stop being watched.

    Affiliate disclosure: if you sign up for a paid Proton plan through links on this page, CyberSecurityGuides may earn a commission at no extra cost to you. We only recommend tools we use and trust.

    Start with a private email you control

    Every step below hangs off the email your Apple Account is built on, so it's worth getting that right before you touch anything else. The strongest foundation is a fresh, end-to-end encrypted Proton Mail address that no one else has ever had access to. Set one up, secure it with its own strong password and two-factor, and then use it as the private email in Step 1 below — everything you do after that rests on an inbox only you can reach.

    Proton Mail Plus

    Private email with more storage, your own custom domain and extra aliases — the easy choice if email is all you need.

    Get Mail Plus
    Proton Unlimited

    Proton Unlimited

    Everything in Mail Plus, plus VPN, Pass, Drive and Calendar in one encrypted plan — the best value if you're rebuilding your whole setup, not just your email.

    • End-to-end encrypted
    • Swiss-based, no ads
    • One plan, every app

    Secure your Apple Account, step by step

    1

    Open your Apple Account settings

    Open Settings and tap your name at the very top to open your Apple Account. This is the home for everything that follows — your sign-in details, trusted devices and recovery options all live here.

    9:41
    FaceTime
    Calendar
    Photos
    Camera
    Maps
    Clock
    Notes
    Settings

    Opening the Apple Account screen on iPhone: Home screen, tap Settings, then tap your name at the top

    2

    Put it on an email only you control

    Your Apple Account is reached through the addresses listed under Sign-In & Security → Email & Phone Numbers — whoever can receive a reset code at one of them can take the account over. The strongest move is to put it on a private inbox no one else can touch. Tap Add Email or Phone Number → Existing Email Address, enter your Proton Mail address, and verify it with the code Apple sends. Then switch on Primary Email so your new address becomes the one the account runs on.

    9:41

    Email & Phone Numbers

    yourname@gmail.com

    Primary email

    Add Email or Phone Number

    These addresses and phone numbers can be used to sign in, verify your identity, and help recover your account.

    Security

    Change Password
    Two-Factor Authentication

    Your trusted devices and phone numbers are used to verify your identity when signing in.

    Recovery Methods

    Recovery ContactsSet Up
    Recovery KeyOff

    Regain access to your account and data if you forget your password or device passcode.

    Legacy ContactSet Up

    A legacy contact is someone you trust to have access to the data in your account after your death.

    Automatic VerificationOn

    iPhone Sign-In and Security, Email and Phone Numbers, tapping Add Email or Phone Number and entering a private Proton address

    Then remove the old email

    Once the new address is verified and set as your Primary Email, go back and remove the old one: tap it in the list and choose Remove Email Address. An old or shared inbox that can still receive your sign-in codes and reset links is exactly the back door you're closing here.

    An @icloud.com address will stay

    If one of the addresses ends in @icloud.com, you won't be able to remove it — it's part of the Apple Account itself, not a separate inbox. That's fine: it isn't an external email someone else could take over, so it doesn't carry the same risk as an old third-party address.

    3

    Set a strong, unique password

    Change your password to something long and unique that you use nowhere else, so an old data breach can't unlock it — a password manager like Proton Pass can generate and store it for you. On your iPhone, tap Sign-In & Security → Change Password and confirm with your device passcode. Changing it also signs out most other active sessions, which is a clean break if someone has quietly been signed in elsewhere.

    9:41

    Email & Phone Numbers

    you@proton.me

    Primary email

    yourname@gmail.com

    Add Email or Phone Number

    These addresses and phone numbers can be used to sign in, verify your identity, and help recover your account.

    Security

    Change Password
    Two-Factor Authentication

    Your trusted devices and phone numbers are used to verify your identity when signing in.

    Recovery Methods

    Recovery Contacts
    Recovery KeyOff

    Regain access to your account and data if you forget your password or device passcode.

    Legacy ContactSet Up

    A legacy contact is someone you trust to have access to the data in your account after your death.

    Automatic VerificationOn

    Changing the Apple Account password: Sign-In and Security, Change Password, device passcode, then the new password sheet

    Proton Pass

    Stuck for a strong one? Proton Pass generates and stores a long, unique password for every account - so a breach of one never unlocks another - and fills them in for you across your devices.

    Get Proton Pass
    4

    Tighten your two-factor authentication

    Apple's two-factor authentication works differently from most services — there is no authenticator app. A new sign-in is approved by one of your existing Apple devices, or by a code sent to a trusted phone number. So tightening it means tidying that list: under Sign-In & Security → Two-Factor Authentication, remove any trusted phone number that isn't yours, and sign out old devices that can no longer update to the latest version (roughly six years and older) along with anything you no longer use. Every device on the list is another place your approval codes can appear.

    9:41

    Email & Phone Numbers

    you@proton.me

    Primary email

    yourname@gmail.com

    Add Email or Phone Number

    These addresses and phone numbers can be used to sign in, verify your identity, and help recover your account.

    Security

    Change Password
    Two-Factor Authentication

    Your trusted devices and phone numbers are used to verify your identity when signing in.

    Recovery Methods

    Recovery Contacts
    Recovery KeyOff

    Regain access to your account and data if you forget your password or device passcode.

    Legacy ContactSet Up

    A legacy contact is someone you trust to have access to the data in your account after your death.

    Automatic VerificationOn

    Sign-In and Security, Two-Factor Authentication: trusted devices and a phone number, with an out-of-date iPhone flagged to sign out

    Why a trusted phone number stays

    You'll need to keep at least one trusted phone number, and a number tied to iMessage or FaceTime can't be removed. A phone number isn't the strongest second factor — it can be SIM-swapped — but Apple builds in a deliberate recovery delay when someone tries to get back in using only a phone number rather than approving from a trusted device. So keep a trusted device you control as your main key.

    5

    Remove your recovery contacts

    A recovery contact is someone you trust to help you back into your account if you're ever locked out. It's a genuinely useful feature — but it also means your account's security now leans on the security of their account and device, which is completely out of your control. If one is set, weigh that up and consider removing it: under Sign-In & Security → Recovery Contacts, tap the contact and choose Remove Contact.

    9:41

    Email & Phone Numbers

    you@proton.me

    Primary email

    yourname@gmail.com

    Add Email or Phone Number

    These addresses and phone numbers can be used to sign in, verify your identity, and help recover your account.

    Security

    Change Password
    Two-Factor Authentication

    Your trusted devices and phone numbers are used to verify your identity when signing in.

    Recovery Methods

    Recovery Contacts
    Recovery KeyOff

    Regain access to your account and data if you forget your password or device passcode.

    Legacy ContactSet Up

    A legacy contact is someone you trust to have access to the data in your account after your death.

    Automatic VerificationOn

    Sign-In and Security, Account Recovery, reviewing recovery contacts and recovery key with an unknown contact flagged

    6

    Add a recovery key

    With recovery contacts cleared, a recovery key hands recovery back to you alone — a 28-character code only you hold. Turn it on under Sign-In & Security → Recovery Key, then write the code down and store it somewhere safe and offline, away from your devices. The trade-off: switching it on turns off Apple's standard account recovery, so this key becomes your way back in if you ever forget your password and passcode — lose it and even Apple can't restore the account. Kept safe, it's the strongest lock you can put on your Apple Account.

    9:41

    Email & Phone Numbers

    you@proton.me

    Primary email

    yourname@gmail.com

    Add Email or Phone Number

    These addresses and phone numbers can be used to sign in, verify your identity, and help recover your account.

    Security

    Change Password
    Two-Factor Authentication

    Your trusted devices and phone numbers are used to verify your identity when signing in.

    Recovery Methods

    Recovery ContactsSet Up
    Recovery KeyOff

    Regain access to your account and data if you forget your password or device passcode.

    Legacy ContactSet Up

    A legacy contact is someone you trust to have access to the data in your account after your death.

    Automatic VerificationOn

    Sign-In and Security, Recovery Key: turning on a recovery key and saving the 28-character code

    7

    Turn on Advanced Data Protection

    Finally, switch on Advanced Data Protection — the strongest setting Apple offers. Normally Apple holds the keys to most of your iCloud data (backups, Photos, Notes and more), which means it can be handed over or exposed in a breach. With Advanced Data Protection on, that data becomes end-to-end encrypted: only your trusted devices can unlock it, and not even Apple can read it. From your Apple Account → iCloud, scroll to Advanced Data Protection and turn it on — you'll confirm with the recovery key you just made and your passcode. This is exactly why the recovery key matters: it becomes the master key only you hold.

    9:41
    Apple Account
    Y

    Your Name

    you@proton.me

    Personal Information
    Sign-In & Security
    Payment & Shipping
    iCloud
    Find My
    Media & Purchases

    Apple Account, iCloud, Advanced Data Protection: turning on end-to-end encryption and verifying with the recovery key and passcode

    8

    Close the iCloud.com web gateway

    One door is still open: your iCloud data can be reached from any web browser at iCloud.com, using just your email and password. If you only ever use your own Apple devices, shut that gateway. From Apple Account → iCloud, scroll down and tap iCloud.com, then switch off Allow Data Access and Allow Search. Your data stays reachable on your trusted devices, but the browser sign-in that an attacker could use is closed off.

    9:41
    iCloud+
    Storage Full50 of 50 GB

    Some data is not syncing. Upgrade to a 200 GB plan.

    iCloud+ Features

    Manage Plan50 GB
    FamilyStart Sharing
    Private RelayOff
    Hide My Email35 Addresses
    Advanced Data ProtectionOn
    iCloud.comOn

    Apple Account, iCloud, iCloud.com: turning off Allow Data Access and Allow Search to disable web access

    9

    Turn on Stolen Device Protection

    One gap is left that nothing above can close on its own: someone who has your unlocked iPhone and your passcode — a thief who watched you type it in, or anyone you've shared it with — could sit down and quietly undo everything, changing your password and these very settings in seconds. Stolen Device Protection is built for exactly that situation.

    Turn it on under Settings → Face ID & Passcode → Stolen Device Protection. It defaults the delay to Away from Familiar Locations — we'd change Require Security Delay to Always, so the protection applies everywhere, not just away from places your iPhone treats as home or work.

    9:41

    Settings

    Airplane Mode
    Wi-Fi
    Bluetooth
    General
    Notifications
    Face ID & Passcode
    Privacy & Security

    Settings, Face ID and Passcode, Stolen Device Protection: turning it on so passcode-only changes are blocked away from familiar locations

    What it locks down

    With it on, the most sensitive actions — changing your Apple Account password, turning off Find My, erasing the device or altering these security settings — require Face ID or Touch ID with no passcode fallback, plus a one-hour security delay followed by a second Face ID check for the riskiest changes. The result: even armed with your passcode, a thief can't take over your account or lock you out before you've reported the phone lost.

    Already worried it's in place?

    These steps lock the account down. To find monitoring that may already be running — forwarded messages, shared location, rogue profiles — check the settings someone can abuse on the iPhone itself.

    Check your iPhone's settings

    Where to go next

    Common questions

    Is my Apple Account really how someone watches my iPhone?
    It's the most common way. Someone who knows your password can sign in on their own device and see your messages, photos and location through iCloud, with no app installed on your phone for a scan to find.
    What's the single most important step?
    Moving your Apple Account onto a strong, private email no one else can reach. Every other protection can be undone by someone who controls the recovery inbox, because that's where reset links and verification codes are sent.
    Do I still need to change my password if I turn on two-factor?
    Yes. Two-factor stops a stolen password being used on a new sign-in, but it doesn't remove sessions already signed in. Change the password to force everyone out, then keep two-factor on to keep them out.
    Is a phone number safe enough for two-factor?
    On your Apple Account you don't pick text codes — sign-ins are approved by your trusted devices first, with a phone number only as a fallback. Keep a trusted device you control as your main key: recovering through a phone number alone triggers a deliberate Apple delay, and numbers can be SIM-swapped.
    What if I can't change my Apple Account email?
    If your Apple ID is an @icloud.com address, Apple won't let you swap it for another email — that's normal. You can still lock it down: set a strong, unique password, keep two-factor on, and remove any other reachable email or phone number that could be used to reset the account.

    Was this guide helpful?

    Know someone who needs this? Send them the guide.

    JD

    Written by

    Jordan Dickson

    Founder, CyberSecurityGuides

    Founder of CyberSecurityGuides, writing practical, jargon-free guides that help everyday people recover from and protect against online attacks.

    Reviewed by CSG Security Engineers

    More from Device Security