Terence Kam has discovered a major implementation bug with Apple’s passkey. Passkey is Apple’s implementation of an industry standard designed to remove password for online authentication. This helps reduce the risks of account compromises because it removes passwords, which can be leaked, exposed or stolen. Terence discovered that creating a second passkey for the some web service results in the first passkey disappearing. He had multiple Google account and generating a passkey for his second account resulted in the stored passkey for the first account to disappear. Not all web services are impacted and his hypothesis is that passkey created by scanning a QR code are affected. He had reported the bug to Apple but as at iOS/iPadOS 16.3.1, the bug still exists.
https://terencekam.substack.com/p/beware-critical-apple-bug-wipes-out
This segment was created for the It’s 5:05 podcast