iOS 18 and macOS Sequoia Let Websites and Apps Automatically Update Existing Logins to Passkeys

[rexhunt]

Wouldn’t a password and a hardware (Yubikey) be more secured?

Someone gets into your Apple ID (because it does happen) and now they have your passkeys, and access to your accounts.

But if someone gets into your Apple ID and your passwords, they would still need the hardware key.

You can add a Yubi key requirement to iOS. If you use passkeys make sure to setup an emergency recovery contact

Set up an account recovery contact - Apple Support

An account recovery contact can help make sure that you always have access to your account, even if you forgot your Apple Account password or device passcode. Learn how to set up a recovery contact on your iPhone, iPad, or Mac.

support.apple.com

 

[rjohnstone]

Where is this setting?

Settings/Apps/Passwords

 

[kiranmk2]

I recall seeing an article about this but I think it is total BS. It is inconceivable that this is an actual thing. How is it done? A thief follows a person for two straight days hoping to be present and in a place they can see them unlock their phone? Or a thief is scanning a big crowd of people hoping to catch someone unlocking their phone that just happens to have hit the 2-day time out period? There is probably a documented case of this happening somewhere isolation but I just cannot see that this could be an actual “trend”.

In any case, passkeys would be no better or worse for this. Whether iCloud Keychain is supplying a password or passkey will presumably be the same.

It's probably got harder since the 2 day time out period came in, but from what I've read (including someone on here who was the victim of such an attach whilst on holiday), the thrives work in groups with a spotter and a thief with the spotter looking out for people entering passcodes in crowds.

As things stand, even if someone steals my phone and knows my passcode, they can't gain access to my bank accounts or 1Password vault without the 1password/banking password or biometric authentication.

 

[hagjohn]

If you are robbed and lose access to all of your Apple devices, how do you login to your insurance provider to file a claim? How do login to anything with only passkeys and no device? Genuinely curious. Can I login to iCloud and use that on a new device or from the web? I’ve been hesitant to upgrade.

U can still use a password when u have passkey.

 

[Earendil]

Oh dear. The condescension is strong with this one. As is the lack of imagination…or maybe it is lack of lived experiences?

But if you like questions: I am traveling internationally. My phone gets stolen. I need to login to my email to get my flight information, contact my husband and tell him to lock my phone, etc.

How do I log into my email account at the hotel, local internet Cafe, etc.?

I can’t login to iCloud as that requires 2FA. I can’t login into my airlines account or email account because the passkeys are stored on my iCloud account.

Oh dear, what is a simple girl like me to do!? Please advise!

Since you asked a question and didn’t make a false statement that misleads people, and then use that (false statement) to paint Apple in a bad light, I’d love to help!

First, since passkeys aren’t a requirement or forced, the simplest solution is to, when prompted, refuse to upgrade to passkeys for the websites you are concerned about. Continue with your life as normal.

But that wasn’t your question, so I’ll run through the options I’m aware of.

1. Since the scenario involves the ability to call a spouse, you can make their phone number an alternative trusted device/number.
(Or, just have them access the information you need)

2. On a windows machine, install the iCloud app, which will give you access to your keychain. You’ll likely need to have done #1, but I don’t think we know yet.

3. Use 1Password or other passkey manager that has web access (not a great idea if you don’t trust the computer 100%).

4. Some email services allow for one time keys that bypass 2FA and passkeys, but these need to be setup in advance.

Personally, I’d NEVER enter a password on a machine that I wasn’t positive didn’t have a keylogger on it, especially not an email password, that could be used to reset most of my life. That’s the *point* of 2FA and passkeys; a keylogger or screen logger is unhelpful to the bad guys.

Alternative technology possibilities you may consider anyway:
Set up a “travel” email address that you don’t use a passkey on, and have your main email forward all travel related emails to the travel address. Make sure the travel adddress has no ability to reset any accounts. Set password to “IDontCareIfYouSeeThis”.
This is the old school solution I used on international trips where I didn’t have a laptop.

Those are just the ones I’m aware for a feature that isn’t released yet and we don’t know all the ins and outs.

But hey, I lack imagination and real world experience, so maybe you or someone else can do better

 

[Tempest114]

What about iPadOS?!

 

[architect1337]

Oh dear. The condescension is strong with this one. As is the lack of imagination…or maybe it is lack of lived experiences?

But if you like questions: I am traveling internationally. My phone gets stolen. I need to login to my email to get my flight information, contact my husband and tell him to lock my phone, etc.

How do I log into my email account at the hotel, local internet Cafe, etc.?

I can’t login to iCloud as that requires 2FA. I can’t login into my airlines account or email account because the passkeys are stored on my iCloud account.

Oh dear, what is a simple girl like me to do!? Please advise!

From my side (and someone who does travel often) - as I mentioned previously, passkeys are a nice secure convenience and useful for travel in that a bad actor can't intercept your login details.

That being said, when travelling, you assume your phone is going to be stolen / you don't have data access and so print out all your tickets beforehand. You also take a second device like an iPad mini (if in the Apple ecosphere) as a backup.

Just relying on username/ password that is written down on a piece of paper in your purse is asking for trouble if/when you don't have access to data (stolen / no wifi / no signal) and you decide to log into your account via a local Internet Cafe.

Using your phone on a strange wi-fi is also asking for trouble, if you don't use a VPN. A rogue wi-fi access point could intercept your session keys, host a rogue DNS server that points to a dodgy 'icloud.com' site, tricking you into giving them your icloud username and password (happens at airports all the time) and so on.

Fortunately, nearly all accounts that currently accept Passkeys, also need a password to be set up and usually 2FA and also have a 'I've forgotten my password' link, that any smart hacker will use if they specially want to get into your account - this is why I call 'passkeys' a convenience; great for what they do but your account is still vulnerable to other hacking methods but they should certainly be your first choice for authentication.