When the feature is turned on, iPhone users are required to authenticate with Face ID or Touch ID for additional actions, including viewing passwords or passkeys stored in iCloud Keychain, applying for a new Apple Card, turning off Lost Mode, erasing all content and settings, using payment methods saved in Safari, and more.
For especially sensitive actions, including changing the password of the Apple ID account associated with the iPhone, the feature adds a security delay on top of biometric authentication. In these cases, the user must authenticate with Face ID or Touch ID, wait one hour, and authenticate with Face ID or Touch ID again. However, Apple said there will be no delay when the iPhone is in familiar locations, such as at home or work.
This is very similar to an idea I floated to a friend back in September. Here’s what I wrote back then (with some minor grammatical corrections):
Here’s an idea for the nefarious actors who reset iCloud passwords after getting an iPhone passcode. Require biometric authentications to change the iCloud password and add a 24 hour delay to modify Face/Touch ID.
Maybe 24 hours is too long of a delay, but I can’t see how given the exemption for familiar networks. Conversely, one hour does not seem like nearly enough time considering the scene of the crime is often a bar. With libations and socializing, victims may not immediately notice their phone is missing, especially those that keep their phone in a bag. Even if they do notice right away, they may be over an hour away from being able to access their Apple account or call Apple support. Getting home from a happy hour in Manhattan regularly took me over an hour when I lived in south Brooklyn.
Update: Having read Joanna Stern and Nicole Nguyen’s article that MacRumors cited, I misunderstood the feature. It’s not that changing biometrics using just the passcode will be delayed by an hour, it’s that any biometric or passcode changes will take effect after an hour delay. This, in addition to requiring biometrics (Touch ID/Face ID) to modify biometrics, seems much better than what I had originally understood.