@chazh : I never said "passkeys are bull shit" (see https://todon.nl/@ErikvanStraten/115656347170869180).

🚨 Android, unfixed: https://seclists.org/fulldisclosure/2024/Feb/15

🚨 iOS/iPadOS (including 26.x): either
• if no fingerprint is configured
OR
• a fingerprint is configured but, under "Setting"s ➡️ "Touch ID & Passcode": "Password Autofill" is off

then a thief of my iDevice can logon to https://account.apple.com and https://icloud.com using my Apple passkey *without* scanning ANY finger or entering ANY screen unlock code.

Apple: "This is expected behavior".

@cendyne @soatok

#Passkeys #AccountLockout #AuthenticationVulnerabilities

@soatok : this is *NOT* what makes passkeys resistant to most phishing attacks.

Don't get fooled by the snake oil regarding asymmetric cryptography.

What makes passkeys strong:
1️⃣ The *main* domain name must match
2️⃣ https is mandatory
3️⃣ The length and randomness of the pubkey in most cases exceeds what is permitted for a password
4️⃣ The pubkey is unique per account

What makes passkeys weak:
1️⃣ They do not prevent session cookie (1FA) theft
2️⃣ Android and iOS/iPadOS passkeys are extremely hard to back up outside of their ecosystems (vendor lock-in)
3️⃣ An attacker with access to your account may ADD their own passkey (it's pubkey) or REPLACE yours
4️⃣ Implementation bugs: Android passkeys easily lost and iOS/iPadOS passkeys may be used without local authentication
5️⃣ Misinformation by people who THINK that they understand how passkeys, WebAuthn and FIDO2 work
6️⃣ (edited to add 15:40 UTC): weak https website certificates (passkeys could mitigate this risk by including the https cert or a reliable hash of it - provided that the RP checks it. Unfortunately this will break "legitimate" TLS MitM's).

#Passkeys #MisInformation #AccountLockout