The Risk iPhone Theft Poses to Your Passkeys and What to Do Now

by | Jul/22/2023

Passkey technology can be highly dependent on a user’s smartphone. If an attacker gains access to a smartphone and knows the passcode, then the attacker can potentially have easy access to all the passkeys stored in the smartphone. For example, if an iPhone thief resets the Apple ID password and keeps the phone, the victim cannot access their passkeys on any Apple device. Therefore, the victim is locked out of all their accounts protected with a passkey, and the attacker is allowed in. That is a big problem.

If you want to know more about passkeys:

To gain the most value out of the information below, first review the details about how a stolen phone creates an authentication disaster:

As mentioned above, if your phone with passkeys is stolen, the thief can access your accounts and deny you access. Because passkey technology and strategies are constantly evolving, there might be more solutions when you read this. As of now:

One possible solution would be storing the passkeys in a password manager, not the Keychain. Then, as long as the attacker cannot unlock the password manager, the attacker will not have access to the passkeys. And if an attacker destroys the passkeys in the Keychain or blocks access to your Apple ID and thus Keychain, you would still be able to access your passkeys since the passkeys are stored in the password manager. The password manager NordPass advertises allowing users to create, store, and share passkeys between their devices. The password managers 1Password and LastPass have announced they will support storing passkeys soon. As you read this, other password managers might support storing passkeys too.

Without using a password manager to store passkeys, another way to protect passkeys would be to set up passkeys in multiple environments. Many iPhone users have a Windows desktop or laptop too. Or they might purchase an Android device where they could configure passkeys. Even if an attacker resets the Apple ID password or deletes the passkeys from the Keychain, thus blocking the victim’s access from all their Apple devices, the victim can still access their sites protected with a passkey generated using their Windows or Android device. Then they can revoke the passkeys created in their Apple ecosystem to prevent the attacker from authenticating from the stolen phone.

But unless users have them already, it is extra trouble and expense to buy a Windows computer or Android phone and remember to set up passkeys on two different devices. Someday, the technology created for convenience might allow the same passkey to function across Apple, Windows, and Android devices. That would render this strategy ineffective, but it could be a long time before such cooperation comes to fruition. A drawback of having more than one device is it gives thieves more opportunities to steal. Thus, using a password manager to store passkeys is a better option for many unless they distrust the security of password managers.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success:

Disclaimer: The information provided in this blog is for general informational purposes only. Technology changes constantly, and some of this information might become obsolete or incorrect. We do not endorse or receive compensation for mentioning products, services, or brand names. Any outbound links provided are for your convenience and to get you started, but we cannot guarantee the security or safety of those external websites. Conducting your research and making an informed decision about any products or services mentioned here is essential. We shall not be held responsible for any actions taken based on the information provided.