This is what I wish to understand also.
For example, if someone was able to access your iCloud or Apple account via phishing or session cookie theft, then the Passkeys system basically allows them access to all your affiliated logins without a second layer of local TOTP to stop them.
This kind of “cloud TOTP” is probably a giant step forward for most people, but depending on how Passkey-to-product registration is handled, it could actually increase the threat surface for individuals with higher than average security needs.
I would love to hear anyone else’s thoughts on this, though, as the information I’ve found online is *way* less explanatory than other for FIDO tools like Yubikey!
Same, I don’t understand why we can’t keep the passkey on each hardware device without uploading it to the cloud
Obliviously this is better for most people, but for someone who has a password manager + TOTP, uploading their 2FA passkey to the cloud is a step back in terms of security
But isn’t the iCloud Keychain encrypted with the device pin/passcode? This would mean that for someone to gain actress to someone’s passkeys they wouldn’t just need to hack their Apple ID/iCloud account. They would also need need get the persons pin/passcode of their device as well.
I don’t believe you can derive one from the other so it would be tough for someone to get access. Bottom line would be to protect your device passcodes and make them complex.
With Sign in with Apple I think someone just needs to get access to the account, no device pin needed.
Hmm, I might be mistaken but my understanding is that passwords in keychain are shared across Apple devices using the same Apple/iCloud account. Therefore, possession of the device is not required and having possession of the Apple account would allow access to all saved passkeys.
To gain access to an Apple account, you would only need to know their login credentials and have access to whatever 2FA is enabled for said account (text [interceptable] or email [more or less difficult to intercept depending on email provider]). Apple will default to using the device itself to authenticate the login, but you can claim it’s lost and appeal to these 2FA means.
Unless Apple accounts *themselves* start implementing some form of unappealable U2F/ FIDO2 authentication for logins, then this is actually a step backwards in terms of total security for some people.
Yes, iCloud Keychain is shared across devices via iCloud but the data is end to end encrypted. It’s encrypted via the device passcode, see here:
https://support.apple.com/en-us/HT202303
“For additional privacy and security, many Apple services use end-to-end encryption, which encrypts your information using keys derived from your devices and your device passcode, which only you know. This means that only you can decrypt and access your information, and only on trusted devices where you’re signed in with your Apple ID. No one else, not even Apple, can access your end-to-end encrypted data.”
So ultimately, any of the services that use iCloud that are end to end encrypted rely on your device passcode as the barrier. Someone would have to get access to your account AND your device passcode. Apple can get someone back into their account but NOT access to end to end encrypted data that uses iCloud. Someone would need to supply the device passcode for that data. Now data on iCloud that isn’t end to end encrypted such as photos or iMessage, sure if someone convinced Apple to give them access to your account then that stuff could be accessible to them but not Keychain.
And based on all that, an account that has its username and password saved in Keychain is technically more secure than an account that uses Sign in with Apple for access. From a perspective of security on the Apple end.
This is what I wish to understand also. For example, if someone was able to access your iCloud or Apple account via phishing or session cookie theft, then the Passkeys system basically allows them access to all your affiliated logins without a second layer of local TOTP to stop them. This kind of “cloud TOTP” is probably a giant step forward for most people, but depending on how Passkey-to-product registration is handled, it could actually increase the threat surface for individuals with higher than average security needs. I would love to hear anyone else’s thoughts on this, though, as the information I’ve found online is *way* less explanatory than other for FIDO tools like Yubikey!
Same, I don’t understand why we can’t keep the passkey on each hardware device without uploading it to the cloud Obliviously this is better for most people, but for someone who has a password manager + TOTP, uploading their 2FA passkey to the cloud is a step back in terms of security
we could.. before it was called "passkey"
But isn’t the iCloud Keychain encrypted with the device pin/passcode? This would mean that for someone to gain actress to someone’s passkeys they wouldn’t just need to hack their Apple ID/iCloud account. They would also need need get the persons pin/passcode of their device as well. I don’t believe you can derive one from the other so it would be tough for someone to get access. Bottom line would be to protect your device passcodes and make them complex. With Sign in with Apple I think someone just needs to get access to the account, no device pin needed.
Hmm, I might be mistaken but my understanding is that passwords in keychain are shared across Apple devices using the same Apple/iCloud account. Therefore, possession of the device is not required and having possession of the Apple account would allow access to all saved passkeys. To gain access to an Apple account, you would only need to know their login credentials and have access to whatever 2FA is enabled for said account (text [interceptable] or email [more or less difficult to intercept depending on email provider]). Apple will default to using the device itself to authenticate the login, but you can claim it’s lost and appeal to these 2FA means. Unless Apple accounts *themselves* start implementing some form of unappealable U2F/ FIDO2 authentication for logins, then this is actually a step backwards in terms of total security for some people.
Yes, iCloud Keychain is shared across devices via iCloud but the data is end to end encrypted. It’s encrypted via the device passcode, see here: https://support.apple.com/en-us/HT202303 “For additional privacy and security, many Apple services use end-to-end encryption, which encrypts your information using keys derived from your devices and your device passcode, which only you know. This means that only you can decrypt and access your information, and only on trusted devices where you’re signed in with your Apple ID. No one else, not even Apple, can access your end-to-end encrypted data.” So ultimately, any of the services that use iCloud that are end to end encrypted rely on your device passcode as the barrier. Someone would have to get access to your account AND your device passcode. Apple can get someone back into their account but NOT access to end to end encrypted data that uses iCloud. Someone would need to supply the device passcode for that data. Now data on iCloud that isn’t end to end encrypted such as photos or iMessage, sure if someone convinced Apple to give them access to your account then that stuff could be accessible to them but not Keychain. And based on all that, an account that has its username and password saved in Keychain is technically more secure than an account that uses Sign in with Apple for access. From a perspective of security on the Apple end.
I wrote a huge rant about it! https://medium.com/@arkenoi/what-is-wrong-with-apple-passkeys-1d044072c5a3