Can I Borrow Your Phone?

Passkeys have been heralded the final nail into the password coffin. And I do agree this is a great step/milestone and I'm really looking forward to have this enabled across all devices and all applications.

But as lots of us will benefit from this rare development which increases both security and ease of use (typically these things are opposite), there is the growing "layer 8" security attack surface. Which is the attack on people who are unfamiliar with how things really work.

Probably most of the vulnerabilities will lie around the ownership and protection of personal devices (which are now holding all the keys). Just to illustrate the issue. The battery in my several years old iPad has been dying and I decided to have it replaced. The standard Apple procedure is "give us your old iPad and we will give you back a refurbished one". I did not like this procedure as it required erasing the old device and reinstalling everything on the new (refurbished) one. Even though I seemingly have the iPad backed up to the cloud, the restore process is not full. It does restore the apps to some extent, but does not restore all the apps' data, so you need to go and re-download saved videos, saved offline maps, re-sync the music and so on. Time consuming and requires a manual checklist.

So I decided to use an independent Apple service shop who disassemble the iPad and replace the battery keeping the data intact. BTW there is always a worry when you hand a device full of personal data to a stranger. But somehow here I trust Apple makes their devices really secure and a typical service shop does not have the NSA-level resources to extract the contents from a locked unit.

What was my surprise then when the service shop called me on the next day asking for the device PIN. "What?" Yes exactly. I was stunned. No... how could you even ask for that? "We just need it to make sure all functions are functioning properly before disassembling the device." Of course I did not give them the PIN, but I can easily imagine many people would. Ouch!

As a side note - my approach failed too (and I am still to learn all the consequences, as the battery upgrade is not over. It took them 7 calendar days to complete the replacement and when I brought the iPad back home I found it could not connect to 2.4GHz WiFi and Bluetooth was very erratic. Clearly an issue with a 2.4GHz antenna of sorts. That is for another episode, as the iPad is still being repaired.

But the bottom line here is, while passkeys are great, we still have the culture of sharing devices: maybe not phones, but tablets and laptops. And multi-user / guest support is very often difficult / not user friendly / not supported.