Once again, no. It was response to "Someone would need my apple id, my password, access to one of my apple devices."
The Elcomsoft's article explicitly claims that no, you don't need Apple Id and password when you have an access to the device and the passcode.
And nobody was able to disprove these very specific claims that are the actual topic of Elcomsoft's article.
What you assert, in the words you assert "the sum of changes would make this a weaker target", was claimed nowhere as the "argument". From the two paragraphs I've quoted the first was a mere introduction (how the reduced security level was achieved, specifically, "Combined together, these seemingly small changes made devastating synergy", and yes, such changes can actually make the system easier to exploit, everybody wit experience in this field knows that). The second was explicit:
"The passcode. This is all that’s left of iOS security in iOS 11. If the attacker has your iPhone and your passcode is compromised, you lose your data"
It was just your interpretation, based only on one of the only two paragraphs I've quoted (and your unawareness of both the second paragraph and the whole article) which obviously missed the whole point. Yes, the user "convenience" decisions did lead to having the Apple Id password irrelevant (obtainable by just a plain and typically simpler passcode). Sorry that you missed that. Any I won't reply to this thread anymore, because I've written all the arguments. Anybody can check the whole thread and compare.
And yes, also read the Elcomsoft's article and prove them wrong, if they are wrong. But I haven't seen anybody achieving that up to now.
You keep repeating yourself and missing the point, which is: no, it does not matter and does not change the overall security of pretty much all users. It is simply not within the threat model. Unless you have to consider a technically advanced adversary or highly automated attacks, it's simply still not relevant.
None of the iOS related things apply to the download portal, and none of the intercept/local access exploits apply to normal users.
It is absolutely relevant for this very thread: it disproves the initial claim in the thread that the attacker would need “device, passcode and appleid password”. The article proves that the third (appleid password) is not needed (that was the main topic of the article) and you never demontrated anything else.
I don’t care for other kinds of relevance or irrelevance as they never were never claimed by me.
If you want to scope the thread to the OP article: If you go to the portal on Apple's site, you need an AppleID, and if the AppleID has MFA enabled you need a device. The is no way around that.
If you want to scope the thread to the Elcomsoft article and specific on-device physical extraction, sure you'd have a different story.
I haven't "scoped it" that way, the parent poster of my answer did it so:
"Someone would need my apple id, my password, access to one of my apple devices (I had to enter a code that appeared on one of my devices), and access to my email." Note: "someone would need my" -- as in "an attacker", not "me as the owner of the device."
And the answer, supported by the Elcomsoft's article is, no, the attacker just needs the device and the passcode. Nothing more. Since iOS 11, everything else he can extract from that.
The Elcomsoft's article explicitly claims that no, you don't need Apple Id and password when you have an access to the device and the passcode.
And nobody was able to disprove these very specific claims that are the actual topic of Elcomsoft's article.
What you assert, in the words you assert "the sum of changes would make this a weaker target", was claimed nowhere as the "argument". From the two paragraphs I've quoted the first was a mere introduction (how the reduced security level was achieved, specifically, "Combined together, these seemingly small changes made devastating synergy", and yes, such changes can actually make the system easier to exploit, everybody wit experience in this field knows that). The second was explicit:
"The passcode. This is all that’s left of iOS security in iOS 11. If the attacker has your iPhone and your passcode is compromised, you lose your data"
It was just your interpretation, based only on one of the only two paragraphs I've quoted (and your unawareness of both the second paragraph and the whole article) which obviously missed the whole point. Yes, the user "convenience" decisions did lead to having the Apple Id password irrelevant (obtainable by just a plain and typically simpler passcode). Sorry that you missed that. Any I won't reply to this thread anymore, because I've written all the arguments. Anybody can check the whole thread and compare.
And yes, also read the Elcomsoft's article and prove them wrong, if they are wrong. But I haven't seen anybody achieving that up to now.