@0xF21D Any more reason to switch to FIDO2 with hardware tokens or #Passkeys.

The latter only if you trust the service providers and if you don't need protection against phishing. With Passkeys and their optional delegation feature you can be tricked into transferring to a hacker.

With a #FIDO2 hardware token, you're really safe.

@zak @zenbrowser : a still unfixed vulnerability: if NOT using Touch ID, on some websites you may be able to sign in using a passkey WITHOUT authenticating locally - using biometrics or your passcode (screen unlock code).

‍ This vulnerability also exists WITH Touch ID set up, provided that "Password Autofill" is disabled.

BTW this vulnerability also permits access to:
• https://icloud.com
• https://account.apple.com
(When asked to provide your fingerprint, tap the X at the top right and tap in the "Email" field one more time).

This is a HUGE risk for people who do not want to use biometrics: if a thief grabs their iPhone when unlocked, or watches them enter their passcode and later steals their iPhone, the thief can use ALL of the owner's passwords and some of their passkeys stored in the "Passwords" app (formerly known as iCloud Keychain).

This increases the risks of theft as shown by WSJ's Joanna Stern in https://youtube.com/watch?v=QUYODQB_2wQ.

In addition, a (grand) child or anyone else who (shortly) borrows your iPhone/iPad may have access to more of your cloud-accounts than you're aware of.

Workaround if you don't want to use biometrics to unlock your iPhone/iPad (this does not fix any problem if a thief learns (or successfully guesses) your passcode (screen unlock PIN or password):

• Set up a Touch ID anyway, for example for your left pinky finger (if you're righthanded)

• Disable "iPhone Unlock" in "Touch ID and Passcode" (visible in the first screenshot).

• Use a safer password manager (such as KeePassium) than the Apple "Passwords" app (iCloud KeyChain).

In any case:

• Make sure that "Password Autofill" (in settings -> "Touch ID and Passcode") is set to ENABLED;

• When you enter your passcode in a public place (such as a bar, bus or train), make very sure that nobody gets to see you enter it.

@vPurple : because I'm a security guy who wants to help others make the best of things (even if it regularly feels like pulling my hair out).

Most people will *not* install an alternative OS on their phone.

And I use main stream stuff to be able to tell big tech when things suck (unfortunately they're mostly deaf).

iCloud Keychain passkeys and passwords vulnerability: https://infosec.exchange/@ErikvanStraten/113947265572224222

Android passkeys vulns: https://infosec.exchange/@ErikvanStraten/113820358011090612 (after publishing https://seclists.org/fulldisclosure/2024/Feb/15).

OTOH Mozilla eventually fixed a bug in Firefox for iOS/iPadOS that I reported (under specific, non-exceptional, circumstances a padlock was shown while http was being used: https://infosec.exchange/@ErikvanStraten/113316652669640932).

@Tutanota

@eelcoa : jazeker, maar heel veel wachtwoordmanagers doen dat standaard niet.

Bovendien moeten internetters zich niet laten misleiden om, als de wachtwoordmanager nergens mee komt, zoals voor iets als:

https://UBN-identiteits-verificatie·com

(UBN = UwBankNaam)

dan maar zelf de inloggegevens voor hun bank in de wachtwoordmanager op te zoeken.

Ten slotte checken wachtwoordmanagers zelden of een website van https gebruik maakt.

Passkeys hebben geen van de drie bovengenoemde nadelen, maar wel weer een heel stel andere.

Waarom 2FA/MFA niet tegen phishing beschermen, Engelstalig (het zóvéélste voorbeeld, deze van afgelopen week: https://www.bleepingcomputer.com/news/security/hackers-spoof-microsoft-adfs-login-pages-to-steal-credentials/). Iets eerder, meer uitleg: https://www.securityweek.com/mfa-isnt-failing-but-its-not-succeeding-why-a-trusted-security-tool-still-falls-short/.

Veilig inloggen: https://security.nl/posting/840236/.

Beknopt (Engelstalig) tips voor wachtwoordmanagers onder Android, iOS en iPadOS: https://infosec.exchange/@ErikvanStraten/113022180851761038.

Android screenshot bij gebruik van KeePassDX: https://infosec.exchange/@ErikvanStraten/113549056619471557.

Safari onder iOS/iPadOS laten waarschuwen als (ook heel eventjes tussendoor) http gebruikt wordt: https://infosec.exchange/@ErikvanStraten/113951865706764140.

Passkeys voor leken (NL): https://security.nl/posting/798699

Ptoblemen met passkeys: https://infosec.exchange/@ErikvanStraten/113947086575210603.

@maartjeS

@thomasbosboom : I reported the passkkey (and password) bug privately to Apple in the summer of 2023. Even after providing a near endless amount of screenshots and other proof, Apple said it's a wontfix.

The basic issue is that, if the user does not use biometrics to unlock their iPhone or iPad, they are NOT asked to enter their (screen unlock) passcode to use passwords from iCloud keychain.

IMO that on itself is already insane (considering [1]). Many people do not use biometrics.

If no bio is used (and even if it is) there are specific circumstances where someone with access to an unlocked iDevice (think of children) can use passkeys without any local authentication.

Just tested using iOS v18.3: with my iPhone unlocked, I can log in to https://icloud.com and (fixed URL 20:48 UTC) https://account.apple.com using the passkey on my iPhone WITHOUT providing any credentials.

If @rmondello reads this: thank you for adding the Safari "Not Secure Connection Warning"!

Even if it not enabled by default, this http warning should help protect against EvilTwin attacks (such as described in https://www.bleepingcomputer.com/news/security/australian-charged-for-evil-twin-wifi-attack-on-plane/).

[1] See WSJ's Joanna Stern in https://youtube.com/watch?v=QUYODQB_2wQ and https://youtube.com/watch?v=tCfb9Wizq9Q. And no, I do not believe that Stolen Device Protection is a good idea. Most people will not use it.

@roman78