If they're in your Google/iCloud, you're already in a game over scenario. The point of all this is to prevent that from happening.

You can try to recover by revoking all your passkeys and starting over with hardware tokens, but that's likely what a sophisticated attacker is going to try as well, and they're probably faster than you.

Still way way better than passwords.

How is that better than passwords? I backup my encrypted passphrase database to a cloud provider. When my house burns down and all my devices are lost, I get a new device, download my own passphrase manager app, download the passphrase document, and continue as before.

If someone breaks into the cloud provider and downloads my passphrase document, nothing happens.

If they break into my iCloud then they’re in my iCloud. They’re not in all my other accounts, because I use an encrypted password manager that isn’t iCloud.

Think of it as using iCloud as your password manager and storing your OTPs - someone breaks into your iCloud, they get access to all the passwords and OTPs to login to any service in iCloud.

Always take the security of your password manager / sync accounts seriously. Use hardwre security keys if needed on the "root accounts".

iCloud is unfortunately impossible to adequately secure for that use case.

If you shoulder-surf somebody's phone unlock PIN and grab their phone, you have everything you need to take over their iCloud account, including their passkeys and the capability of locking out all of the victim's other trusted Apple devices and changing their iCloud password.

This was very surprising for me to witness first hand – fortunately not in the identity theft scenario, but only when observing a relative regaining access to their iCloud account using only their iPad they were logged in on.

It is a fair observation. And I can see why users tend to be alarmed about this. Although in my experience users tend to significantly underestimate the real risks of online attacks relative to these more visceral threats.

Let met ask you: has that discovery made you stop using your iPhone, or storing passwords or other critical data in your iCloud? If the answer is "No", then you're strictly better off moving to passkeys stored on iCloud as well.

> Let met ask you: has that discovery made you stop using your iPhone, or storing passwords or other critical data in your iCloud?

Yes, it has (the latter). I was a big fan of (non-synchronized) on-device passkeys, but this has significantly changed the threat model for me.

I use a third-party password manager exclusively now, and I'll probably be using its synchronized Passkey implementation too if it turns out to be any good.

As soon as Apple starts offering a different set of security trade-offs (e.g. make usage of the recovery key mandatory when resetting my iCloud password, or at least implement a timed lockout), I'd gladly start using iCloud Passkeys and maybe also its password manager.

I think you can set a longer iPhone password instead of a pin. Harder to surf.

Sure, but that's really inconvenient in the 99.9% of cases where I just want to unlock my phone, not recover my iCloud account password.

The passkeys are encrypted before leaving your machine and Google/iCloud are only storing the encrypted passkeys and can't decrypt them.

Presumably encrypted with e.g. my iCloud password ?

Kind of, but it's more complicated than that. Details there (and in the link at then bottom of the page): https://support.apple.com/en-us/102195