Erik van Straten@chazh : I never said "passkeys are bull shit" (see https://todon.nl/@ErikvanStraten/115656347170869180).
🚨 Android, unfixed: https://seclists.org/fulldisclosure/2024/Feb/15
🚨 iOS/iPadOS (including 26.x): either
• if no fingerprint is configured
OR
• a fingerprint is configured but, under "Setting"s ➡️ "Touch ID & Passcode": "Password Autofill" is off
then a thief of my iDevice can logon to https://account.apple.com and https://icloud.com using my Apple passkey *without* scanning ANY finger or entering ANY screen unlock code.
Apple: "This is expected behavior".
