Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
So I have just tried changing my Google account password, and this can be done with nothing more than the iPhone passcode once you have a passkey setup.

This basically means that your device passcode will become the key to many more kingdoms than just your iCloud account.

It's going to be more important than ever to protect your device passcode from prying eyes.
If you have your Google passkey or password stored in your device keychain, and someone has your device and knows your passcode, then they would be able to access your account.

This is possible whether it’s a password or passkey.
 
  • Like
Reactions: cyanite
So I have just tried changing my Google account password, and this can be done with nothing more than the iPhone passcode once you have a passkey setup.

This basically means that your device passcode will become the key to many more kingdoms than just your iCloud account.

It's going to be more important than ever to protect your device passcode from prying eyes.
I assume you mean you first had to successfully sign into your Google account using the passkey before it let you change the password?
 
WHat if your iPhone is lost or stolen. How do you recover all that?
Passkeys are backed up to iCloud and sync to all your Apple devices. They’re encrypted so they can’t be accessed by Apple.

If you only have one Apple device, and it’s lost or stolen, then you would need to use your recovery key or recovery contacts to sign in to your Apple account on a new device.
 
  • Like
Reactions: cyanite
If you have your Google passkey or password stored in your device keychain, and someone has your device and knows your passcode, then they would be able to access your account.

This is possible whether it’s a password or passkey.

The danger of using iCloud to store your passwords and passkeys due to Apple's security design flaw they refuse to fix. Best to use a 3rd party password manager.
 
The danger of using iCloud to store your passwords and passkeys due to Apple's security design flaw they refuse to fix. Best to use a 3rd party password manager.
Third-party password managers will soon be unlocked with passkeys stored in iCloud Keychain.

If someone has access to a trusted Apple device, they would usually be able to gain access to almost all your other accounts by requesting a password reset, as they would able to receive emails and text messages.
 
If you had your Google password stored in iCloud Keychain, then only a passcode would be required.
Yes that's also true. But it's definitely true with a passkey, as by definition the device has to have that stored for it to be a trusted device.
 
Third-party password managers will soon be unlocked with passkeys stored in iCloud Keychain.

If someone has access to a trusted Apple device, they would usually be able to gain access to almost all your other accounts by requesting a password reset, as they would able to receive emails and text messages.

I definitely won't be turning on the Keychain passkey option to unlock my 3rd party password manager. Nor will I use Keychain to store any passkeys. Apple really needs to fix their iCloud Keychain/Apple ID security design. The iCloud Keychain and Apple ID needs to be protected by more than just having the device and the passcode.

As far as other accounts that can be reset by email and text, that's unfortunately very true. But it appears most of my financial websites require you to enter a DOB and/or last 4 of your SS# to reset.
 
Last edited:
WHat if your iPhone is lost or stolen. How do you recover all that?
1683137540097.jpeg


Like most other services there's many ways to have backups. Above pic from https://myaccount.google.com/
 
Correct, but with a passkey that only requires the device passcode.
I just tried it and see that you can still use the passkey after X failed attempts using Touch ID or Face ID. I'm shocked that Apple still hasn't addressed this gap with its brand new implementation of passkey touting it as a more secure authentication method. It seems that passkeys are more secure, it's just that Apple's implementation is just as flawed as passwords. What's the point of passkeys on an Apple device if you can simply access them with a password/passcode? I hope Bitwarden implements passkeys soon.
 
I just tried it and see that you can still use the passkey after X failed attempts using Touch ID or Face ID. I'm shocked that Apple still hasn't addressed this gap with its brand new implementation of passkey touting it as a more secure authentication method. It seems that passkeys are more secure, it's just that Apple's implementation is just as flawed as passwords. What's the point of passkeys on an Apple device if you can simply access them with a password/passcode? I hope Bitwarden implements passkeys soon.
Passkeys are designed to be used with the device's existing security (face ID, touch ID, passcode). It is an industry standard designed to replace passwords/2FA. It's not a failure to only need your device passcode to be able to administer the account, change password etc. It's how it is designed to work.

If you setup Bitwarden so that you can login using a passkey, that means Bitwarden will be accessible by face ID, touch ID or device passcode (replacing your existing password/2FA login).
 
What happens with my iCloud stored passkeys if I decided to switch to Android at some point? Meaning how could I log in to sites that the Android device didn’t have stored.
 
What happens with my iCloud stored passkeys if I decided to switch to Android at some point?
I believe you’d have to setup the new android device as a passkey first. You can delete passkeys from within account settings for the account.
 
  • Like
Reactions: SmokyT18
Passkeys are designed to be used with the device's existing security (face ID, touch ID, passcode). It is an industry standard designed to replace passwords/2FA. It's not a failure to only need your device passcode to be able to administer the account, change password etc. It's how it is designed to work.
I don't know if it would violate the industry standard to restrict access to only biometric methods when using passkeys. I hope the standard is flexible enough to allow some level of customization. The whole concept of passkeys to me sounds very similar to ssh keys but I am still reading up.

If you setup Bitwarden so that you can login using a passkey, that means Bitwarden will be accessible by face ID, touch ID or device passcode (replacing your existing password/2FA login).
I already restrict Bitwarden to require only biometric authentication when I need to use one of the passwords stored in its vault. What I'd like to do is to store passkeys in its vault in addition to passwords. I believe that may be coming.
 
Believe I understand the basics, but confused about something I'm encountering. Got myself setup on my Mac for passkey, where in my account it notes the passkey as "Chrome on Mac." However when I open up a new browser or incognito on that same machine and try to login, it just asks for my typical password.

If I create the passkey with my phone being the authentication device, it creates a passkey called "icloud keychain" and now when i try a new browser window it prompts to login with passkey. Confused why the passkey on mac, won't being able to be used in logins on that same machine.

EDIT: NM, think I may understand it. Passkey is being saved in Chrome. So makes sense why if I try to login with Safari it doesn't work. And in incognito, believe it just prevents access to keychains of sorts.
 
Last edited:
Doesn't seem to work for me, created the Passkey, can see it in the Google account and in the Apple Keychain but when you sign in to Google you just get the usual username/password box. On my iPad after signing in I'm asked to setup a Passkey, if I say yes it says one's already created!
 
That is true. I currently use Bitwarden as my password manager, so I need to look into its passkey support. I know it supports it already but I've never used it.
Bitwarden is suppose to be adding support later this year for passkeys.
 
Passkeys are backed up to iCloud and sync to all your Apple devices. They’re encrypted so they can’t be accessed by Apple.

If you only have one Apple device, and it’s lost or stolen, then you would need to use your recovery key or recovery contacts to sign in to your Apple account on a new device.
So you still need to know your Apple iCloud password.
 
Apple continues to lead the world in terms of unparalleled innovation and product elasticity. I'm happy to see Google leaning in to take advantage of these core technologies to help protect customer data from evildoers.
 
The iCloud Keychain and Apple ID needs to be protected by more than just having the device and the passcode.
The Apple ID yes, I agree. But the keychain? That would kind of kill the convenience of having it if you have to enter a password (or whatever) each time you use it.

I don't know if it would violate the industry standard to restrict access to only biometric methods when using passkeys.
No parts of iOS can work only with biometrics, because what they do is wrap other key material while the device is on, subject to various purge policies (such as with too many failed attempts, in some cases). In order to work again after that, the key material (such as the device passcode) needs to be entered.
 
The Apple ID yes, I agree. But the keychain? That would kind of kill the convenience of having it if you have to enter a password (or whatever) each time you use it.

The keychain should only be accessible by your biometrics, Apple ID password, or some user defined password. The Keychain should not be accessible by just the phone's passcode. Even the iPhone Notes app has better protection. The user can protect the Notes app with a user defined password. The Notes app is better protected than the Keychain.
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.