For example, it would make a lot of sense to treat them differently for Apple Pay fraud detection, since passcode + device compromise seems a lot more likely in the real world than compelled Face ID.
Edit: there's a newish feature, Stolen Device Protection, that works along these lines - https://support.apple.com/en-us/120340
It makes the conclusions of types 1 and 4 very different.
This would be the same as shoulder surfing your card pin and then stealing or cloning your card. There were two factors, the attacker just has access to both.
They needed an authenticated app and the pin at that point which is two factors. Because both are related to your iPhone means nothing, both your card’s pin and your card are related to your card and both can be compromised by the exact same attack with the exact same consequences.
Problem is, people catch on that with some `expect` scripting and a few open source packages you can still just automate it to be 1 factor, just adding a bit more complexity to eventually leak the user's credentials.
Also, if someone uses a password manager to store both the password and the OTP credential, that is still an improvement to security. Intercepting (e.g. shoulder surfing) or guessing the password is no longer enough, an attacker needs to get into the password manager's vault.
I stopped here... at least on iPhone, this doesn't work. When a new face is scanned into FaceId, all apps using that FaceId are supposed to (forced to?) re-authenticate.
> an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more distinct types of evidence (or factors) to an authentication mechanism.
and concludes with (emphasis mine):
> For the average user, the smartphone has become a single point of failure, where the theft of one device and one piece of knowledge (the passcode) can lead to total financial compromise.
Looks like 2FA to me, not 1FA.
The linked WSJ article is a bit hyperbolic and typical journalism overreach by calling it an Apple "security vulnerability", which is bullshit IMO. If you watch the interview with the guy in jail, the main method by which he got people's security code is he asked them. That is, he would tell people he had drugs to sell them and wanted to give them info, so he would get their phone and ask them for their code to unlock it.
At least the WSJ report is honest when it says "The biggest loophole: You".
Like that guy in Texas whose estate paid billions in tax when he passed away.
And _only_ when bound to a physical security key. Unfortunately by tying into the marketing of passkeys, there is going to be a pervasive assumption that ecosystem/on-device passkeys are just as secure.
Overall a good set of points, and I think it highlights the issues with a lot of the lauded 'convenience' factors in the Apple ecosystem.
Passkeys are an improvement over passwords. Security keys have a place for high security applications like enterprise deployments or the security paranoid. Passkeys stored on security keys can be trivially made worse by allowing users to set bad PINs (like 0000). If you use an iPhone and iCloud Keychain, iOS won’t permit you to store or use Passkeys with such an obvious passcode, but a Yubikey 5 will.
Everything else, including hardware tokens, is marketing vendor lock-in.
Passwords can be shared, stored, backed-up. Passkeys are locked away and hidden.
https://www.youtube.com/watch?v=tJw2Kf1khlA
(Yes, I'm linking YouTube because unlike popular belief, some channels are actually informative, or some make it easy for us to understand the content.)
I would never use my fingerprint for authentication, because it's a flawed concept. The problem is, that your fingerprint is not a password. It's more like a username. That's because you leave your fingerprint everywhere, it's practically public information. The same can be told about your face.
The auth is using a password still. The password is just indexed on your face or fingerprint ID and only locally, on-device.
That means the attacker would need the device to ever get at the password in the first place. Then they'd need to be able to break into the device. The latter you can argue is easy or hard, depending on perspective, but they'd need both your faceprint or fingerprint, and a reliable way to replicate it that can fool the reader.
If your fingerprint or faceprint leaks to the world. The attacker would still need your physical device, and would still need to find a way to fool the physical reader with a replica of your faceprint or fingerprint.
In that sense, it's more secure than a password.
First of all, like the other commenter said, these days biometrics are rarely used as a key itself (which is how they are often portrayed in old movies). Instead, they are used as a method to gain access to the key. This is quite literally the case with some biometric Yubikeys - the key is the Yubikey, but to get it to work it needs your biometrics. Are you saying it would be better to have a key with no access control at all? Or one with a passcode (just watch the linked WSJ article from TFA - the guy was able to steal data from phones with passcodes, but biometrics would have made that attack vector much more difficult). Phones work pretty much the same way, perhaps the downside being that people often don't consider their phones as something that needs the same level of guarding as an actual key.
And just as importantly, what these kinds of YouTube videos often miss is the old adage "I don't need to outrun the bear - I just need to outrun you." That is, unless you are a particularly high-value target (and you would know if you are), any security that makes you much more difficult to hack than the person using Princess123 as their password means thieves give up and go to the easier target first.
(1) Their use of public-key cryptography is not quantum safe (against quantum computing). In contrast, passwords are very much quantum safe.
(2) They are tied to the provider. Why on Earth would I want to have the provider own my passkeys? Why would I want this vendor lock-in for my authentication?
(3) What if I want multiple accounts for a site? Some passkey vendors may support them, while others may not.
2. By definition this isn’t true
3. Again not true, don’t confound whatever terrible implementation you have used with what is allowed or capable
2. It is risked in practice.
3. It too is risked in practice.
Your argument hinges on us getting access to a quantum computer that is stable enough for Shor’s algorithm to run invalidating RSA and ECC, current password hashes being updated using algorithms that are secure, or long enough, and a quantum safe algorithm not existing for PKi.
Do you understand how this sequence of events is extremely unlikely, specifically since we already have quantum safe Public Key Algorithms and there is still ongoing research whereas it isn’t even known whether we will get a stable Quantum computer with enough qubits ever.
So now we have Apple Google and Microsoft getting a standard together that is actually secure in 2025 and your response is that sometime in the future a computer that our best engineers and scientists still haven’t been able to even prove may even be feasible might be able to reverse a public key.
I also have a strong suspicion that the people that goes through the effort of even implementing Passkeys and those that care about security are a mostly overlapping set, so the likelihood of those public keys leaking in the first place is significantly lower the Bob’s hardware leaking my old mans one password he uses for everything.
The security improvement for 99.99% of the population from using passkeys just far outweighs your hypothetical future that will likely never happen.
I predict we will get AGI before a quantum computer that can reverse a public key, and we will have quantum safe public keys before that.
If someone is using biometrics how often are they really using their pin that this would at all be a valuable tactic? I very rarely actually need to enter my pin on my phone so this largely seems like a moot point?
Like yeah it is still technically possible but if we really get down to it, if someone were to get learn the pin than passkey is equally worthless since they could also use my phone then to authenticate anything passkey. Fairly surprised that software based passkeys are just skipped here since I doubt most people are using hardware based passkeys, particularly on mobile devices.
I think there is a bigger (not just banking) discussion to be had about what can be done your phone's pin. But with the convenience of biometrics set an actually strong password for your phone instead of a 4 or 6 digit code.
Individual apps I use biometrics except on reboot if they support that.
pxeger1•6mo ago
wintermutestwin•6mo ago
Thank you for breaking it down like this. The bottom line is that if you don’t have your phone, you can’t access your accounts. That is a massive risk factor - particularly while traveling. That tells me that passkeys and password managers are not a viable security solution.
rkrisztian•6mo ago
okanat•6mo ago
zarzavat•6mo ago
If you need to manage non-trivial amounts of money through your phone, having a specific device to do that is a no-brainer.
frollogaston•6mo ago
zarzavat•6mo ago
https://www.bbc.com/news/articles/cy8y70pvz92o.amp
I'm not sure exactly how they get around security features, perhaps by social engineering customer support, if they have enough PII.
Yeul•6mo ago
Obviously people can still kidnap you and torture you but that's no different from before smartphones.
frollogaston•6mo ago
fsflover•6mo ago
toast0•6mo ago
fsflover•6mo ago
toast0•6mo ago
fsflover•6mo ago
toast0•6mo ago