Passkeys only as safe as the Apple credentials?

[EyeOS]

Hi,

currently I try to understand, how safe the passkeys authentication is.
Looking for a worst case, here is a constructed scenario:

Let ˋs say I have lost my bag with my iPhone and my money box.
In my money box there is a piece of paper with my Apple-ID and my Apple password (I know this should not be there, but just to discuss the case).

The finder uses the credentials, logs into my iphone and checks my mails to find out, which Websites I use. I.e. Amazon and Paypal, assuming I access this sites via passkeys.
The finder of my phone does a scan of his face or his finger, to create a new face-ID or a new touch-ID to create a new passkey. Due to the two-factor authentication he gets a SMS from Apple to confirm identity - directly on this phone.
After confirming, he is able to access my websites via Passkeys to do whatever he wants to do.

So my question is: Is this a realistic scenario? Please correct me, if I am (hopefully) wrong.

If I am right, I would prefer to stay with passwords, even if there is the well known phishing threat.
But compared to the situation described above, the finder of my phone would not be able to access all my websites, as long as I use different passwords, which he does not know.
With passkeys the iPhone would be a kind of “single point of risk“ and passkeys would be as secure only as my Apple credentials are safe and not accessible. Am I right?


Thanks for any comments

 

[Kmart9419]

Hi,

currently I try to understand, how safe the passkeys authentication is.
Looking for a worst case, here is a constructed scenario:

Let ˋs say I have lost my bag with my iPhone and my money box.
In my money box there is a piece of paper with my Apple-ID and my Apple password (I know this should not be there, but just to discuss the case).

The finder uses the credentials, logs into my iphone and checks my mails to find out, which Websites I use. I.e. Amazon and Paypal, assuming I access this sites via passkeys.
The finder of my phone does a scan of his face or his finger, to create a new face-ID or a new touch-ID to create a new passkey. Due to the two-factor authentication he gets a SMS from Apple to confirm identity - directly on this phone.
After confirming, he is able to access my websites via Passkeys to do whatever he wants to do.

So my question is: Is this a realistic scenario? Please correct me, if I am (hopefully) wrong.

If I am right, I would prefer to stay with passwords, even if there is the well known phishing threat.
But compared to the situation described above, the finder of my phone would not be able to access all my websites, as long as I use different passwords, which he does not know.
With passkeys the iPhone would be a kind of “single point of risk“ and passkeys would be as secure only as my Apple credentials are safe and not accessible. Am I right?


Thanks for any comments

You can’t access the phone without the passcode or faceid/touchid even if you have the login and password. You can’t access iCloud or appleid either because you need to authenticate with second factor on the phone where you need touchid/faceid or passcode to access.

Changing faceid/touchid requires inputting the passcode. So it’s not possible for the thief to change it. And because they can’t access faceid and does not have the passcode, the person cannot access the keychain.

Without access to keychain, login with the passkey is impossible. Passkey requires faceid to authenticate. The biometric id basically made passkey a 2factor authentication.

If you wrote down your passcode, then that’s a big problem.

 

[EyeOS]

Thank you very much for your answer.
May I ask, what you mean with „login“ and „passcode“? Is the „login“ the code to access the device and „passcode“ the password of your apple-ID? Or just the other way around?

As far as I have understood, you can access the face ID section of the device settings with the code you use to access the device, but not with your Apple ID password. If this is true, it should be possible to create a new FaceID/TouchID with the device key only. So you would not need the Apple-ID either.

Thank you for any answer.

 

[okkibs]

That's pretty much it - in the described scenario the third party would not be able to gain access to the iPhone in the first place.

Passcodes and passwords and credentials should not be written down in clear text anywhere other than to keep in a deposit box at the bank for the worst case.

This topic also doesn't have anything to do with the new authentication method for websites, because once they have access to your iPhone they can either look at your passwords in the password manager, or go through the password reset process and use Mail to access the new password.

Apple forces you to lock your phone with a reasonably safe passcode (beyond 0000 and 1234) and tries to nudge you towards activating biometrics as well, once you activate any of these safety-critical Apple features, precisely to avoid a scenario like the one you described.

A more likely scenario would be that someone forces you to add their fingerprint to your iPhone at gunpoint. But then the point is moot because obviously with your health at stake you'd happily log in anywhere they demand, not worth risking your life for that.

The new authentication method for websites on its own seems reasonably well thought-out in my opinion: The iPhone creates a private-public-keypair, where the secret key (the private key) will never ever leave the iPhone and can thus never be copied. It will not be part of any backup either. Whoever wants to use this login needs to do it directly on the iPhone itself - at which point we are back to the scenario of being held at gunpoint.

However you look at it, most people will be really screwed if someone gets access to their smartphone, regardless of the brand and what authentication method is used for websites.

The unfortunate reality is many people use the same easy-to-guess passwords that they use across multiple services and so any new system designed to do away with these unsafe passwords (I am hoping that's what will happen in the long run) is a good thing in my books.

it should be possible to create a new FaceID/TouchID with the device key only.

...yes, which is why the iPhone will ask you to set that up when you first initialize the device and then remind you about it later if you decline. The problem is, if you let users do what they want you'll inevitably end up with some who put 0000 as their passcode because they just can't be bothered. And then they will complain when their phone is stolen and their accounts are compromised.

That's also part of why Apple forces new Apple accounts to use two factor authentication from the start. They are trying to force safety features on the most unwilling users.

 

[EyeOS]

Thank you for this infos.

To put things in a nutshell:
To change faceID or/and TouchID you need the access code of the iPhone only. Not the biometrics

(Just got feedback from a friend who confirmed this. He got access to the TouchID section in the iPad settings with the device code only and added a new fingerprint)
So an iPhone thief, who knows the device code for some reason, can change the biometrics and has full access to all websites secured by passkeys.

Like you mentioned, many phone owners use simple codes to access their devices. So if I did not miss something, the complete security concept of passkeys may depend on a short figure, in the worst case only four digits long.

Really hope i missed something.

 

[Kmart9419]

Login and password is what you had written down on that piece of paper. The passcode is the 4-6 numeric code or alphanumeric code you use to authenticate your iPhone.

Having your password and login stolen won’t help the thief get into your phone without the second factor which requires you approving the login and then entering the 6 digit one time passcode that is generated on the phone. And to get to the code, you will need faceid.

But having your passcode stolen is an absolute disaster. That gives the thief full access to your iPhone. The thief can change faceid, access keychain, emails, etc. Basically everything. So securing that passcode is a top priority.

 

[chabig]

To change faceID or/and TouchID you need the access code of the iPhone only. Not the biometrics

No. You need biometrics to get into the phone in the first place.

 

[EyeOS]

Thank you for the clarification.

To be honest: I do not understand, that passkeys for mobile phones is seen as a major security improvement.
Loosing an iPhone which can ba accessed by a low digit number will turn into a nightmare, if you use passkeys for many relevant websites. Banks, web shops, insurances, you name it.

On the other side: Will you use a complicate (but safe) access code with many alphanumeric digits to access your phone?

Talking about a mac or an iPad will be different as long as the devices are used in your home, but passkeys for a mobile phone makes no sense for me.

@ chabig: In the first place yes, FaceID or TouchID, but in the following you can use just the device code.

 

[Kmart9419]

Once a thief has access to your passcode or keychain, doesn’t matter if the site is secured with passkey or password. The thief has your logins, passwords and passkeys and can use it at will.

Passkey or hardware Fido security keys are a different type of second factor that is frequently used instead of one time passcode or sms code via text. SMS is highly insecure. One time code is easily defeated with man in the middle attacks. Fido security key verifies the origin and only you have the private key to decipher the challenge presented to you by the server. A man in the middle or a phishing website cannot overcome this. So Fido keys are very secure.

Passkeys are basically software version of physical security keys. Only downside to passkey is that it can be duplicated via airdrop or can be copied via keychain. The physical keys are unique and can never be duplicated. With that aside, passkey is way more secure than anything out there.

Apple’s version of the passkey allows you to bypass passwords entirely by using the private key that is unique only to you and your devices. And it is still 2 factors because to activate passkey, you need to authenticate with faceid.

 

[chabig]

Loosing an iPhone which can ba accessed by a low digit number will turn into a nightmare, if you use passkeys for many relevant websites. Banks, web shops, insurances, you name it.

Try it. Give your phone and passcode to a family member you trust. Challenge them to log into a passkey protected website. I think you will find they cannot do it without biometric authentication.

@ chabig: In the first place yes, FaceID or TouchID, but in the following you can use just the device code.

As stated above, you will be challenged for biometric authentication. See...

Passkeys - Apple Developer

Passkeys are easier to use than passwords and far more secure. Adopt passkeys to give people a simple, secure way to sign in to your apps and websites across platforms — with no passwords required.

developer.apple.com

 

[EyeOS]

Understood, thank you.
I guess, I will 1. not store passwords on my iPhone and 2. not use passkeys on my iPhone.
A piece of paper in a locked desk seems to be more safe (beside fishing threads), but independend of the way someone will protect access data to relevant websites on his phone, it all depends on a device access code, which may be four digits only.

 

[Kmart9419]

“Try it. Give your phone and passcode to a family member you trust. Challenge them to log into a passkey protected website. I think you will find they cannot do it without biometric authentication.”


Unfortunately, that is not true. Once you fail faceid a few times, it will prompt you for passcode. So the passcode is like the master key. Protect it with your life.

 

[chabig]

Understood, thank you.
I guess, I will 1. not store passwords on my iPhone and 2. not use passkeys on my iPhone.
A piece of paper in a locked desk seems to be more safe (beside fishing threads), but independend of the way someone will protect access data to relevant websites on his phone, it all depends on a device access code, which may be four digits only.

Or you could alternatively...not use a simple 4 digit passcode.

 

[EyeOS]

to chabig:

Thank you for your answer.
The scenario was: I loose my iPhone and my money box with a piece of paper containing the device access code.
Finder logs into iphone and adds his biometrics. He can do so, because access to the biometrc settings is granted by the device access code only. After adding his biometrics (his face, his fingerprints), he has full access to all of my passkey secured websites.

Any errot in this process?

Sure, I will not use a only four digit number as iphone access code, but I am afraid, many iphone owners use simple codes. This means, as mentioned, that the complete passkeys security concept depends on a - in the worst case - four digit numeric number.

 

[Kmart9419]

Understood, thank you.
I guess, I will 1. not store passwords on my iPhone and 2. not use passkeys on my iPhone.
A piece of paper in a locked desk seems to be more safe (beside fishing threads), but independend of the way someone will protect access data to relevant websites on his phone, it all depends on a device access code, which may be four digits only.

Password on paper is a horrible idea. Don’t get too paranoid. Apple’s security is pretty good and way safer than paper and pen. If a website allows for passkey, you take it. Passkey doesn’t use a password so you can’t get it stolen or hacked. Only you, with your physical device can access that site. Without your phone in your possession, you will not be able to use passkey.

 

[EyeOS]

To Kmart9419

„Just because I'm paranoid doesn't mean someone isńt after me“😀

Sure, paper and pen is not the best idea. But the risk, that someone getts access to sensible data and websites by just finding out a low digit number is nothing I would call secure. You are right, Apple offers many ways to secure personalmdata, in this scenario i.e. the phone lost option, but using passkeys on an iPhone makes the device to a single point of risk with kinda easy access.

 

[chabig]

to chabig:

Thank you for your answer.
The scenario was: I loose my iPhone and my money box with a piece of paper containing the device access code.
Finder logs into iphone and adds his biometrics. He can do so, because access to the biometrc settings is granted by the device access code only. After adding his biometrics (his face, his fingerprints), he has full access to all of my passkey secured websites.

Any errot in this process?

Sure, I will not use an only four digit number as iphone access code, but I am afraid, many iphone owners use simple codes. This means, as mentioned, that the complete passkeys security concept depends on a - in the worst case - four digit numeric number.

You are right about multiple FaceID failures leading to a passcode request. Protect your passcode.

 

[okkibs]

I guess, I will 1. not store passwords on my iPhone and 2. not use passkeys on my iPhone.
A piece of paper in a locked desk seems to be more safe

Passkeys are not meant for the purpose you think they are for.

First of all, many people do store passwords on their phone and even if they don't, they will at least have their e-mail account connected to the Mail app. This way a third party with access to your phone does not need to know any passwords since they can just request a password reset and use Mail to access the password reset link.

Of course a piece of paper with your passwords written down and locked away at home is safer in the scenario you gave us, but then not only do you need to write down over a dozen passwords (each service you use should have a different password in case one service is compromised), you will also (1) never be able to login to your services when you aren't at your desk and (2) you cannot use your phone with any account, not even e-mail.

And if you do need to access something on the go, you would just end up taking that "locked away" paper with you.

Passkeys are meant to provide a secure way of logging in that can't be forged/extracted/copied/misused. That security is applied to the electronic transmission of credentials from your device to the service. The secret part of the passkey always stays on your device and never leaves it. This is in stark contrast to passwords, where your password is sent (encrypted, but nevertheless it is sent!) to the service. Furthermore, the passkey cannot be extracted from the device in any way, or forgotten, whereas passwords can be written down in many places or forgotten.

But even if you assume someone has BOTH your iPhone and your lock code for it, you can still remotely lock and even wipe your iPhone.

Again, the only realistic scenario I can see is that you get robbed and held at gunpoint.

How would anyone get access to your iPhone if you lost it, otherwise? How do you think they will figure out the code? There is no need to write it down, a simple four digit pin code is plenty and even if you used your birth year for it and the thief figures it out after a while, you still have time to lock the phone from iCloud.

Your scenario would be like handing someone your house keys and then being upset they went into the house, took the car keys off the shelf and drove off in your car. That car must use a very unsafe key! Let's remove the air from all the tires and now nobody can use it conveniently, it's perfectly safe now.

You are right about multiple FaceID failures leading to a passcode request. Protect your passcode.

Although perhaps Apple has implemented that in a way that if you can never authenticate with the stored FaceID again and go to the settings to remove FaceID and add a new one, it might wipe all the passkeys. I don't use passkeys yet so I don't know whether that is the case, but it seems that if Apple required biometrics for passkeys in the first place, then they might have thought of this as well.

 

[EyeOS]

Thank you for your comprehensive statement.

I agree, that access to the mail account by an unwanted third party is a risk as well, even if the third party needs the account name of any website in addition to the websites password.

Passkeys as a substitute for passwords are a good way to avoid fishing of passwords, I had and have no doubt about it.

Anyway, the four or six digit code for device access as key for access to the biometics is - at least in my eyes - a main risk. This means: Mainly not the key itself but the handling of the key by the users.

So I hope you are right, that Apple has implemented further protection steps, but as long as this is not clear, I will not use passkeys.

 

[okkibs]

Biometrics are mostly a convenience feature, it's the only way to safely unlock the device without entering a code. You draw the wrong conclusion that because biometrics can't be faked they must be better than a four digit pin code. I'd argue that they're actually worse. For example, passwords are protected by the 5th amendment in the States whereas biometrics are not.

That whole idea that biometrics are supposed to be safer than a four digit pin code isn't quite right. As long as your pin code isn't 19xx or something else that's simple, there are 10k possible combinations and a thief going through more than just a couple dozen and finding the right one before you manage to lock the phone remotely are -in my opinion- precisely zero.

The iPhone will rate limit how many passwords you can try per hour, even if the thief had 10 years to crack the code he couldn't.

Think of other things secured just with such a pin, my credit cards only have four digit pins yet no thief will go out to purchase something and then start trying out random combinations at the payment terminal.

This whole topic really has nothing to do with passkeys. I consider iPhones to be about the safest mobile devices for storing sensitive information on - conditions apply (if your life depends on it obviously do more research and don't take my word for it).

 

[EyeOS]

No, my life does not depend on it. The whole thread is not about me.
I wish you a nice and relaxing sunday.

 

[Kmart9419]

Just to keep it simple, use the passkeys. Passkeys are by far the safest login method available. Massively so.

 

[MDePew24]

Sure, you can poke holes in any security feature. There isn't a single one out there that doesn't have pros AND cons. It's all about mitigating risk and making things as tough as possible for them to be broken into. You don't have to use any security if you don't want. You can also use a passcode that is fairly complex and not write it down so it makes things much tougher than a 4 character/digit code.

Just because you can find a scenario that fits a narrative, doesn't mean that a feature isn't good or improving on what is out there. This is also very much for people not being able to get access to things when they DON'T have your physical device. Logging into accounts online with my biometric passkey will keep you out of my account.

Just my opinion.