> - A lot (most?) people’s Apple Account name is actually their main email address (e.g. Gmail), so they would still control their email address even if their Apple Account was compromised.
But the login for the Gmail address is a passkey that's on the Apple account...
> - You can still recover your Apple Account and iCloud Keychain without any devices (e.g. if phone broke like in your scenario).
So what's the point of passkeys if you can get access to them without passkeys?
> - Your passkeys stored in iCloud Keychain are still protected even if your Apple Account has been compromised.
How can something be protected when the thing that controls access to it has been compromised?
> But the login for the Gmail address is a passkey that's on the Apple account...
A passkey is just a replacement for a password. Google (and other apps/websites) have account recovery processes for users who get locked out of their accounts. The way you get back into your Google account doesn’t change much just because you’re signing in with a passkey vs. a password.
Account recovery is a problem that service providers have to solve (and do solve) regardless of whether a user authenticates to their account with a password or a passkey.
> So what's the point of passkeys if you can get access to them without passkeys?
Some huge benefits are:
1. They are highly phishing resistant. Unlike passwords and popular forms of 2FA (TOTP and SMS), users can’t be tricked into sending their credential to a fake/malicious server. A passkey is bound to the server domain at the time the credential is created, and your OS/browser will simply not send it to the wrong place.
2. There is no credential for attackers to steal from servers in the case of server breach. This is because only a public key is stored on the server, instead of password hashes (or worse, plaintext, if the app/website developers don’t know what they’re doing).
3. Passkeys are guaranteed to be unique and secure. The same cannot be said for passwords. Even a password manager cannot guarantee that every single credential stored in the password manager is both unique and secure. And password complexity requirements often make it a painful game of trial and error to create a secure password, even when using a password manager.
4. Because of annoying password complexity requirements, the process of creating a new password can be annoying and take up to a minute or two of fiddling around, even when using a password manager. With a passkey, the process takes as long as Face ID or Touch ID (or equivalent on other platforms) every time. Every single credential creation and authentication is a fantastic user experience (both fast and easy).
I suggest watching Apple’s WWDC videos. There you will find a very very in-depth answer to this question.
All of the points I’ve made above (and more) are covered in the linked videos.
If you won’t watch any of the above then you should at least read the FAQ on passkeys on the FIDO website here, which should answer many of your questions:
Specifically, carefully read the following sections titled “Synchronization security” and “Recovery security”. The short answer is that gaining access to the user’s iCloud Keychain contents requires more than just having access to the Apple Account.
Ok so let's assume passkeys are a form of saved generated password.
> 1. They are highly phishing resistant. Unlike passwords and popular forms of 2FA (TOTP and SMS), users can’t be tricked into sending their credential to a fake/malicious server. A passkey is bound to the server domain at the time the credential is created, and your OS/browser will simply not send it to the wrong place.
So why does my browser or password manager send saved normal passwords to a different domain than the one they were saved for? This is not a limitation of passwords but of the software that encourages saving passwords. It didn't need switching to machine only passwords to fix.
> 2. There is no credential for attackers to steal from servers in the case of server breach. This is because only a public key is stored on the server, instead of password hashes (or worse, plaintext, if the app/website developers don’t know what they’re doing).
What has stopped developers from using irreversible transformations on stored passwords in the past? The math was there.
> 3. Passkeys are guaranteed to be unique and secure. The same cannot be said for passwords. Even a password manager cannot guarantee that every single credential stored in the password manager is both unique and secure. And password complexity requirements often make it a painful game of trial and error to create a secure password, even when using a password manager.
If it's generated by software, any software should be able to assure uniqueness. This is again a failure of saved passwords / password managers.
> 4. Because of annoying password complexity requirements, the process of creating a new password can be annoying and take up to a minute or two of fiddling around, even when using a password manager. With a passkey, the process takes as long as Face ID or Touch ID (or equivalent on other platforms) every time. Every single credential creation and authentication is a fantastic user experience (both fast and easy).
Yes and here we get to the elephant in the room.
You become dependent on an easily stolen or destroyed device for authentication. It is a fantastic user experience until you're a plane flight away from home, your phone gets stolen. Your passkeys are safe in the secure enclave. Too bad you can't access them any more. How do you get home? You don't have any other devices to prove your identity, if you even have backup devices, they're at home. The flight options are in an app that you don't have the passkeys any more for. Your flight may get canceled or rescheduled and you have no way of knowing. If you didn't bring any physical credit cards or backup cash, you can't even eat.
Passkeys are all fine in your average techie environment, but can be a disaster outside it.
> So why does my browser or password manager send saved normal passwords to a different domain than the one they were saved for? This is not a limitation of passwords but of the software that encourages saving passwords. It didn't need switching to machine only passwords to fix.
Any kind of authentication method that relies on a string that can possibly be manually typed into a box by an end-user can never be made to be highly resistant to phishing.
> What has stopped developers from using irreversible transformations on stored passwords in the past? The math was there.
I don’t understand what point you’re making here. Are you saying “why didn’t people create a different standard than WebAuthn?” or are you saying “strong password hashing methods exist, so why do so many websites use bad ones”? Or are you saying something else?
> You become dependent on an easily stolen or destroyed device for authentication.
No, you don’t, because passkeys on Apple platforms are stored in iCloud Keychain, which syncs across all your devices with end-to-end encryption. They’re not solely on your phone.
> It is a fantastic user experience until you're a plane flight away from home, your phone gets stolen. Your passkeys are safe in the secure enclave.
They are stored in iCloud Keychain, not the Secure Enclave. And you can recover access to your iCloud Keychain is even if you lose your phone, and even if you lose all of your devices.
> The flight options are in an app that you don't have the passkeys any more for.
You could just go through the account recovery flow for the airline app to regain access to your account. Whether you use a password or a passkey as your primary credential for logging in has very little to do with account recovery logging into an airline app. The app needs to continue to handle users who get locked out of their airline account for a variety of reasons.
> You could just go through the account recovery flow for the airline app to regain access to your account.
On which device? You can't use a public pc (or a local friend's) because you'd need to get your new passkeys on it and that's not safe.
Buy a new laptop/phone on the spot?
I'm going to make up a new conspiracy theory that says this push for passkeys is there to sell more devices, because shared devices aren't safe any more.
But the login for the Gmail address is a passkey that's on the Apple account...
> - You can still recover your Apple Account and iCloud Keychain without any devices (e.g. if phone broke like in your scenario).
So what's the point of passkeys if you can get access to them without passkeys?
> - Your passkeys stored in iCloud Keychain are still protected even if your Apple Account has been compromised.
How can something be protected when the thing that controls access to it has been compromised?