262
Passkeys might really kill passwords
(www.theverge.com)
This is a most excellent place for technology news and articles.
Apple isn't the only one allowing redundancy, most popular password managers allow you to lose all your devices and still have passkeys securely stored in the cloud. And people who don't even know that password managers exists, aren't going to the early adopters of passkeys.
I'd anticipate that most providers will do something similar. I just mentioned Apple because they've been pushing their "cloud backup" hard while still using SMS as a fallback.
I'd be interested to hear which provider, if any, has managed to get around the usual (vulnerable) channels for recovery.
The document you linked says it requires a combination of your apple account password plus an SMS text sent to a pre-registered phone number? Seems like a pretty good setup for most people. Also has the alternative of recovery contacts and recovery keys.
It looks like turning on advanced protection would eliminate the SMS method but I am not 100% sure. Then you would need recovery keys or recovery contact.
https://support.apple.com/en-us/102651
My biggest worry in these cases is not that I get locked out, but rather that Apple mangles my keychain. I have a USB CSV of my passwords in my bank safety deposit box. With passkey I am not sure of how I would get a similar backup.
I get what you're saying, but it's not about getting locked out. It's about other people using recovery methods to take over your account. Why would anyone try to break through durable public-key encryption when you can just phish a victim's email account password?
And it's not like real-time phishing for 2FA/MFA isn't widespread—it's just not automated to the same level as other methods. That said, two- or multi-factor is going to stop 99% of automated hacks. It's the determined ones that I'm concerned about.
In regards to the Apple thing... Apple passwords can be reset using a recovery email. That means the security of the account leaves Apple's ecosystem and relies on the email provider. So, if I'm a cybercriminal determined to hack your account, I start there.
Then, if you've got your keychain all set up, it's time for a SIM swap. I clone your SIM or convince your mobile carrier to give me a SIM with your number. And even if recovery contacts and keys are alternatives, the use of SMS is problematic. If you really can turn it off, then I'm all for it. But if you can't be sure, neither can I.
SMS is a very low-security option that is showing its age. It was never intended to be a secure verification method, yet it's become incredibly popular due to its availability. Unfortuantely, telecom companies are simply not interested in upping their security.
All SIM swap protection is opt-in at this point. Verizon and the gang might wise up considering the lawsuits leveled at them by victims—many of whom lost millions in cryptocurrency due to the carriers' negligence—but it's not likely.
The point here isn't that passkeys are bad for consumers. They're convenient and about as secure as existing methods. The problem is that they're being sold on average folks as a security upgrade even though they're more of a sidegrade. PKI/FIDO already existed before the whole passkeys buzz did, and it had the same limitations. This is mostly just branding and implementation.
If you enable advanced data protection apple cannot recover your account. You need your recovery keys or a designated recovery contact.
The apple doc implies (to me) that a SIM swap only works after you authenticate on an apple device (e.g. using your password) even without advanced data protection. I have never tested that.
You can use the long process (many days) to recover an account assuming you haven’t enabled advanced data protection. I’m okay with that as it is perfect for my grandparents (I had an older relative who got their account back through this method).
I get that you could SIM swap to recover other accounts (not Apple) if they have SMS as a recovery method. That sucks and it really sucks for people who don’t get that an email or SMS recovery can be a giant hole in security.
Gotcha, point taken. Ultimately, I think there needs to be a better identity proofing process overall. But that may rely on a total infrastructure overhaul, which seems unlikely.