Hacker News new | ask | show | jobs
by skarra 978 days ago
Think of it as using iCloud as your password manager and storing your OTPs - someone breaks into your iCloud, they get access to all the passwords and OTPs to login to any service in iCloud.

Always take the security of your password manager / sync accounts seriously. Use hardwre security keys if needed on the "root accounts".
1 comments
lxgr 978 days ago
iCloud is unfortunately impossible to adequately secure for that use case.

If you shoulder-surf somebody's phone unlock PIN and grab their phone, you have everything you need to take over their iCloud account, including their passkeys and the capability of locking out all of the victim's other trusted Apple devices and changing their iCloud password.

This was very surprising for me to witness first hand – fortunately not in the identity theft scenario, but only when observing a relative regaining access to their iCloud account using only their iPad they were logged in on.

link
skarra 978 days ago
It is a fair observation. And I can see why users tend to be alarmed about this. Although in my experience users tend to significantly underestimate the real risks of online attacks relative to these more visceral threats.

Let met ask you: has that discovery made you stop using your iPhone, or storing passwords or other critical data in your iCloud? If the answer is "No", then you're strictly better off moving to passkeys stored on iCloud as well.

link
lxgr 977 days ago
> Let met ask you: has that discovery made you stop using your iPhone, or storing passwords or other critical data in your iCloud?

Yes, it has (the latter). I was a big fan of (non-synchronized) on-device passkeys, but this has significantly changed the threat model for me.

I use a third-party password manager exclusively now, and I'll probably be using its synchronized Passkey implementation too if it turns out to be any good.

As soon as Apple starts offering a different set of security trade-offs (e.g. make usage of the recovery key mandatory when resetting my iCloud password, or at least implement a timed lockout), I'd gladly start using iCloud Passkeys and maybe also its password manager.

link
konschubert 977 days ago
I think you can set a longer iPhone password instead of a pin. Harder to surf.
link
lxgr 977 days ago
Sure, but that's really inconvenient in the 99.9% of cases where I just want to unlock my phone, not recover my iCloud account password.
link