@jpsachse : or when your account gets pwned and the attacker does a better job proving that they are you than you - after all, *they* have access to your account - while you do not.

ANDROID PASSKEY BLACK HOLE
*Or* when you press a button "Clear data" (at the bottom of https://chrome.google.com/sync) which is accompanied by the text:

« This will clear your Chrome data that has been saved in your Google Account. This might clear some data from your devices. »

For you to subsequently find out that ALL OF YOUR PASSKEYS on (all of) your Android device(s) are IRRETRIEVABLE GONE (I reported this to Google in June 2023 and published it 6 months later in
https://seclists.org/fulldisclosure/2024/Feb/15). It's still unfixed.

WHY NO EXPORT AND NO BACKUP
W.r.t. being able to export and/or backup all private keys belonging to all of your passkeys: that's a big dilemma (depending on your POV).

The main (advertised, not taking into account a possibly desired vendor lock-in) reason is simple: if *you* have direct access to such private keys, *malware* running on your device does too.

The compromise is that they are automatically synced to your cloud account, and from there to other devices (of the same brand, provided they run an OS version that's not too old), including a new device if you brick or lose your old device.

However, if there's serious malware on your device, then, even if the malware authors cannot steal all of your passkeys (that is, their private keys), then you're toast anyway; a RAT such as AnyDesk may fool you into believing that you're logging in to website A while in fact it's B and they steal it's session cookie - and pwn the webaccount.

SYNCING PRIVATE KEYS
BTW it's hardly being discussed, but being able to synchronize secrets between secure hardware enclaves in such a way that *you* are denied access, is quite an achievement (considering that, if you buy a new phone, the only available secrets to the transport system are your definitely weak passcode, and your, potentially weak, cloud password that may be used to encrypt the private keys in transit).

I *know* that it's complicated because I accidentally found out around June 2023 that Android can get confused: passkeys *seem* to sync just fine, but passkeys created on phone 1 do not work on phone 2 and vice versa. Somehow the phones had started using *different* encryption keys used to securily synchronize them (I also mentioned that issue in my reports to Google in the summer of 2023, and I mention it in the FD (seclists.org) message).

I don't know how Apple syncs secrets in iCloud keychain, and neither whether a situation may exist where passkey's private keys sync but are unusable (like may happen when using Android).

APPLE'S OWN PASSKEY MISERY
However, Apple has got their own bunch of problems with passkeys being usable *without* requiring biometrics or a passcode to unlock them from iCloud Keychain, see https://infosec.exchange/@ErikvanStraten/113050312014160350 and follow-up (it gets worse every time I look at it) https://infosec.exchange/@ErikvanStraten/113053761440539290 (more details in earlier toots in that thread).

In short: if you don't use biometrics to unlock your iPhone or iPad (OR you do, but you have -unlikely- disabled a specific configuration setting), then anyone with access to your iDevice in an unlocked condition (*), can sign in to:
https://appleid.apple.com
and/or
https://icloud.com
WITHOUT entering your passcode (or using biometrics).

(*) your child, spouse, someone you don't know (well) who borrows your phone to make a call (because their's battery is dead), NOTABLY including a thief who stole it while you were using it (or saw you type your passcode and can unlock it by themselves: https://youtu.be/QUYODQB_2wQ).

I'm not sure yet, but this may even render Apple's anti-theft system totally moot.

@rmondello @johnbrayton
@agl

It's even WORSE than I thought.

If a miscreant steals your iPhone or iPad, either unlocked or after watching you enter its passcode, they may be able to access all of your data in iCloud and in your AppleID cloud settings using a browser - even if you configured Screen Time Restrictions to limit access to critical data.

Here's how (where it reads "Touch ID" replace that with "Face ID" if your iDevice isn't equipped with a fingerprint scanner);

Assuming that you've NOT configured biometrics to unlock your iPhone or iPad (OR you've turned off 'Settings' > 'Touch ID and Passcode' > 'Password Autofill'), and:

You open, for example using Safari,
https://appleid.apple.com/sign-in
or
https://icloud.com and tap 'Sign in'
and:

You tap the (x) at the top right of the box that pops up at the bottom of the screen, and:

You tap in the field labeled "Email or phone number", and:

At the bottom of the screen, in the light gray box reading "Sign in to apple.com with your saved passkey?", you tap the blue button that reads:

Use "<your icloud.com email address>"

then the browser you're using is logged in to your AppleID account or to your iCloud account respectively.

Consequences
In your Apple ID account, you (or an attacker who does this) can see all -and edit most- of your account details. I've not tested it but they may now be able to lock *you* out of your account.

In your iCloud account they can choose 'Locate device' and disable *any other* iDevice you may have.

This is *even* true if you've configured "Screen time" restrictions in such a way [1] that a thief of your iDevice, who succeeds in unlocking it's screen (*), CANNOT view your account details ar the top of 'Settings', while it even fully hides the 'Touch ID and Passcode' submenu entry in 'Settings'.

(*) For example, after they watched you enter your passcode (see WSJ's Joanna Stern's video's that I referred to in my previous toot) - OR IF THEY SIMPLY STOLE IT FROM YOU IN AN UNLOCKED STATE!

[1] https://www.ghacks.net/2024/01/31/how-to-block-account-changes-on-iphone-using-screen-time/

Mitigations
Screen Time Restrictions [1] *does* seem to add an extra defensive layer, albeit probably insufficient.

After enabling it (note that it takes about a minute or so before all protections are actally in place, so be patient), when logged in to your Apple ID account using a browser, doing most (if not all) things labeled 'Continue on device...' do not work (no notification will be received by the iDevice). However, an attacker can probably still wreak havoc.

It's best to configure biometrics EVEN if you don't intend to use it to unlock your iDevice(s).

Note: personally I've configured only my pinky finger to unlock the screen of my iPhone SE2. One advantage is that I can unlock my iPhone in public places without (most of the times) having to enter my screen unlock passcode.

IMPORTANT: after configuring biometrics, confirm that 'Settings' > 'Touch ID and Passcode' > 'Password Autofill' is ON.

@webhat
@rmondello