As a followup to my piece on passkeys, reader Andrew pointed me to a blog post by Terence Eden, which contains a bit of a thought experiment on what happens if you have a catastrophic accident (say, a house fire) and lose access to all your devices:
In order to recover my digital life, I need to be able to log in to things. This means I need to know my usernames (easy) and my passwords (hard). All my passwords are stored in a Password Manager. I can remember the password to that. But logging in to the manager also requires a 2FA code. Which is generated by my phone.
The situation as described is really a worst case scenario in which everything goes wrong, but it does raise questions about Apple’s new passkeys. If you have any device, sync should ensure that they’re all stored there. But what does happen in a terrible case like this where you lose all your devices?
Well, there are recovery methods in place, as you might suspect. Apple talks broadly about them in a support article:
To recover a keychain, a user must authenticate with their iCloud account and password and respond to an SMS sent to their registered phone number. After they authenticate and respond, the user must enter their device passcode. iOS, iPadOS, and macOS allow only 10 attempts to authenticate. After several failed attempts, the record is locked and the user must call Apple Support to be granted more attempts. After the tenth failed attempt, the escrow record is destroyed.
This seems to suggest that you’ll need to recover your phone number first, presumably by dealing with your wireless carrier. In a truly worst case scenario as detailed in Eden’s post, that may prove to be challenging, depending on what information you need to recover the account from the iCloud Keychain escrow. (Alternatively, Apple also points you can set up a recovery contact which is a good idea—and, as per Eden’s post, it may be a good idea to make it somebody who doesn’t reside with you, just in case of said catastrophic occurrence.)
That said, this is also a possible vector for social engineering, so extra levels of security are probably a good thing here. Requiring iCloud password, SMS code, and device passcode altogether seems like a reasonable set of steps to take before giving access back to a keychain.
There’s always going to be the possibility of a scenario where the security is so good that you can’t recover it, but in many of these cases, if you’re encountering a situation so severe that all of your failsafes have also failed, well, there’s probably something really dire going on that means you have even bigger problems.
—Linked by Dan Moren