Security keys setup

Wlee213 wrote:

What if you add the keys and delete your passcode? I’m sure the password still stays in effect but I am more sure that a password is much more difficult to surreptitiously observe as opposed to a passcode. From that stance what other options remain available for a malicious actor to gain unauthorised access to an iCloud account or Apple device without the security keys?

Once set, removing the Passcode from your iPad (or iPhone) will disable much of the device's advanced security functions - such as biometric authentication. The device Passcode secures the device's security chip (i.e., the secure enclave) within which credentials and encryption keys are stored. As such, attempting to disable or remove the Passcode is impractical.

Unlike iOS17 for iPhone, where Apple has recently introduced countermeasures (Stolen Device Protection) to enhance protection of the trusted device and AppleID account from compromise using the device Passcode, for some inexplicable reason Apple has not implemented this same mitigation in iPadOS.

With a trusted device and its associated Passcode, all security measures associated with your AppleID account - whether “advanced” or involving Security Keys - can be bypassed, deleted or reset.

In addition, with knowledge of your Passcode, all account credentials and Passwords stored within your saved passwords (i.e., your Apple Keychain) are accessible with just the Passcode. For convenience, many Users choose to store their AppleID credentials in their Keychain; as such, from a trusted device, every single aspect of the AppleID account can be reset or compromised. If financial accounts are similarly stored in the keychain, these accounts can potentially be emptied before the victim can even get to a telephone…

Even if you have taken steps to secure elements of your iPad or iPhone settings using ScreenTime restrictions, the ScreenTime passcode can itself be reset/bypassed with the AppleID credentials (of course, extracted from the Keychain with just the device Passcode).

In conclusion, the Apple security model has an implementation flaw - that permits complete AppleID compromise from a trusted device.

For iPad, there are some steps that you can take to reduce risk:

1) Never store your AppleID credentials within your Keychain - as saved Passwords accessible from iPad settings using the device Passcode.

2) Set a strong device Passcode, known only to you. Be very careful to ensure that you cannot be observed or overlooked if you should ever use the Passcode in an untrusted or public location.

3) Set and actively use biometric authentication - either FaceID or TouchID. Always use this authenticator in preference to the device Passcode, in particular in public or untrusted locations where you might be observed.

3) Set a ScreenTime Passcode, known only to you, that differs from your device Passcode. Do not associate this ScreenTime Passcode with the email address that identifies your AppleID - or preferably skip entering a recovery email address entirely. If necessary, document and securely store a copy of the Passcode (in an unidentifiable form) separately from your Apple devices.

4) Set three key ScreenTime Restrictions on your device. These will cause some inconvenience to you, but will make compromise of your device and AppleID very much more difficult for a bad Actor:

Settings > ScreenTime > [Restrictions] Content & Privacy Restrictions > [Allow Changes To]

• Passcode & FaceID | TouchID - set to Don't Allow
• Accounts - set to Don't Allow
• Mobile Data - set to Don't Allow

If you need to access key elements of your device settings that requires temporary relaxation of one or more of these restrictions, only do so in a private location.

If you have interest in Apple's platform security architecture, this is described within publicly accessible resources:

Introduction to Apple platform security - Apple Support

This document is not light-reading - as it is fundamentally intended for IT and Security Professionals and Practitioners.

You have encountered one of the many limitations of Apple’s current Security Key implementation.

A Security Key can be used to sign-in to your AppleID account instead of using your AppleID account Password - or where the associated Password has been forgotten. The Security Key does not fully replace your AppleID account password.

Similarly, Security Keys do not inhibit the ability to change any of your AppleID account security settings, or your account credentials, when accessed from a trusted device such as your iPad or iPhone. Contrary to expectations, using Security Keys will not prevent account compromise or takeover from a trusted device.

If anyone other than you has access to one of your trusted devices - and is knowledgeable of your device Passcode (perhaps having shoulder-surfed or observed entry of your device Passcode via a camera) - everything is lost. With a trusted device and your Passcode, all passwords (likely including your AppleID and banking credentials etc) can be discovered with just the Passcode. All AppleID security settings can be changed - including AppleID Password - and all Advanced Security settings deleted or altered. If you have set a ScreenTime Passcode to protect key-settings, this too can be bypassed/reset using your AppleID credentials that can be likely be discovered from your saved passwords.

In summary, while Security Keys can add a useful additional level of security in some circumstances, they provide absolutely no additional protection from AppleID account compromise from a trusted device.

What if you add the keys and delete your passcode? I’m sure the password still stays in effect but I am more sure that a password is much more difficult to surreptitiously observe as opposed to a passcode. From that stance what other options remain available for a malicious actor to gain unauthorised access to an iCloud account or Apple device without the security keys?