> Passkey synchronization provides convenience and redundancy in case of loss of a single device. However, it's also important that passkeys be recoverable even in the event that all associated devices are lost. Passkeys can be recovered through iCloud keychain escrow, which is also protected against brute-force attacks, even by Apple.

> iCloud Keychain escrows a user's keychain data with Apple without allowing Apple to read the passwords and other data it contains. The user's keychain is encrypted using a strong passcode, and the escrow service provides a copy of the keychain only if a strict set of conditions is met.

> To recover a keychain, a user must authenticate with their iCloud account and password and respond to an SMS sent to their registered phone number. After they authenticate and respond, the user must enter their device passcode. iOS, iPadOS, and macOS allow only 10 attempts to authenticate. After several failed attempts, the record is locked and the user must call Apple Support to be granted more attempts. After the tenth failed attempt, the escrow record is destroyed.

> Optionally, a user can set up an account recovery contact to make sure that they always have access to their account, even if they forget their Apple ID password or device passcode.

https://support.apple.com/en-us/HT213305

This just looks like passwords with extra steps and making it harder for customers to leave Apple's ecosystem.

One thing I never understood about this passkeys thing is: how will the passkeys database be kept in sync between your iPhone, your Windows desktop, your Linux laptop and your Android tablet? I've tried to research the topic a bit but everything I've been able to find has been about exporting and importing between ecosystems, but most people don't use only a single company's products.

And I guess when Apple bans my account with no recourse but to shout at Twitter, I'll loose access to all the accounts.

No thanks, I'll stick to passwords associated with my own email.

Does anybody understand how passkeys protect against phishing more than OTP codes do? With OTP codes, an attacker can just ask the user to share their code ("please share your 2fa code to authenticate yourself"), surely with passkeys the same attacker could just ask the user to scan the login QR code ("please scan this QR code to authenticate yourself").

Edit: I looked into it a bit more, it seems like it only works if the browser and scanning phone are in bluetooth range. That's definitely pretty good in terms of phishing protection, but a hard dependency on bluetooth would mean this will not work at all on many desktop computers...

Which websites support passwordless authentication (FIDO2 WebAuth)?

Microsoft and eBay, AFAIK. The rest may use U2F as a second factor not the only one.

Also, for recovery you need multiple phones, and you need the websites to support that. It will probably take a while for websites to support this, and even then people are not going to buy and register several phones.

I feel we're powerless to stop this, since it's an extremely easy sell to normal users. The average iPhone user wouldn't think once, let alone twice, about clicking OK on that shiny new doodad-app, and that's all the critical mass they need.

Even if they _were_ to think twice, what are the feasible alternatives? A password manager where you generate passwords for each account? Sure, I do that, you probably do that, but good luck getting your grandma to do that.

This is all super-bad because once it becomes unavoidable, Apple controls _your_ access to everything digital. Apple. Let that sink in. This is the company that backed down on encryption when the FBI asked them to. The company that has stronger device lock-in than any you could imagine.

Am I freaking out unnecessarily? Is my reasoning flawed? Genuine question!

Passkeys are designed to take away further control from you and that is why BigTech are promoting it. Do you really want to tie your digital life to a device?

We went from having one password used on most all sites to having unique random passwords for each site saved in a password manager. But of course those are all accessible then via a single , traditional memorable easy to type ‘single’ password. Yes requires access to one’s devices and helps avoid phishing and all other benefits but just interesting. With passkeys assuming one still uses a password manager to manage the keys (since otherwise if your devices were lost or stolen you’d be screwed) then all your passkeys are stil behind a regular memorable easy to type password and a computer password that is also by nature a memorable password, etc. There are again still lots of benefits for the new method and help avoid the most common issues for people currently so none of this is bad but more good to realize you still have a password in general just one to manage them all.

Oh, cool, Apple developed a new technology it calls "passkeys". I wonder how they work.

> Under the hood, Apple’s passkeys are based on the Web Authentication API (WebAuthn), which was developed by the FIDO Alliance and World Wide Web Consortium (WC3).

Okay, so Apple didn't develop it.

It's good to see Apple getting on board with web standards like WebAuthn considering how much they are dragging their heels on web standards on iOS but I just wish we could stop reporting on them without framing everything they do as groundbreaking innovation just because a man in a turtleneck sweater would have said so.

Alternative headline:

Apple brings WebAuthn support to iOS 16 and macOS Ventura

So it's a public- private keypair.

And Apple syncs your private keys between your devices via iCloud?

Or for each account creates a new key pair for each device... based on your iCloud ID?

Honest question since I'm not in the loop: what is the problem with passwords that passkeys are trying to solve?

I'm opting out of these types of schemes. I like passwords.

Does this passwordless future still involve getting a cookie in your browser that can be stolen and used from an attackers machine? If so, we still have a problem to fix.

> Passkeys work in Apple’s Safari web browser as well as on its devices.

I sure wish apple would be a little bit better of a citizen when it comes to interoperability. Safari only features (which is what I'm assuming this will be based on apples history and the quote) are upsetting. uBlock is the single most important piece of software on my computer and my devotion to it exceeds any and all possible other features.

I would very much like to stop moving from password manager to password manager after they take VC money to corrupt their trust model so they can make money.

From the article:

> Because Apple developed its passkeys based on the FIDO Alliance standards, the passkeys can work across devices and on the web. If you try to log in to one of your accounts on a Windows machine, you’ll have to use a slightly different method since your passkeys won’t be stored on that machine. (If they are saved in an external password manager, you would need to log in to that first).

> Instead, when you log in to a website in Google Chrome, for example, you will have to use a QR code and your iPhone to help you sign in. The QR code contains a URL that includes single-use encryption keys. Once scanned, your phone and the computer are able to communicate using an end-to-end encrypted network via Bluetooth and share information.

I suppose that's not the worst workaround, and the local exchange is pretty clever, but it sure would be nice if this would work with Firefox out of the box.

Technically they are not.

iCloud still requires a mail / pass combination to access stored data.