Beware! Critical Apple bug wipes out passkeys
If you are not careful, this bug can cause you to be locked out of your accounts!
I have multiple Google accounts for testing purposes. Today, little did I expect to find a major implementation bug with Apple’s passkeys. This bug is so bad that you can find yourself locked out of your accounts with no recourse because your passkeys simply disappeared into thin air!
Setup passkey for first Google account
This is what I did today- I decided to increase the security of my Google accounts using passkeys by performing the following steps:
Log into my Google account.
Go to the 2-step verification settings.
Added “Security Key” as one of my available 2-step verification. In this step, my iOS device becomes a security key in the form of a passkey. I explicitly saw that iOS prompted me to create a passkey for this particular Google account’s email address.
Then I disabled all the other 2-step verification options.
To log into my Google account, I need to enter my Google password and then use biometrics to authenticate myself to my iOS device. iOS will use the passkey associated with this particular Google account to authenticate to Google for me.
I went to my iCloud Keychain and verified that a passkey was created for this particular Google account. That means I can use any of my Apple device as a security key to log into this Google account because the passkeys are synced among all of them.
So far so good.
Setup passkey for second Google account
Next, I repeated steps 1 to 4 for another one of my Google account. I explicitly saw that a seperate passkey was created for that second Google account in my iCloud Keychain.
Now, guess what happened?
First passkey wiped!!!
The passkey for my first Google account disappeared!!!
Yes, disappeared!!!
When I create a passkey for my second Google account, the passkey for my first Google account was wiped! Worse still, it was wiped across all my Apple devices because iCloud Keychain synced them all. That means I was locked out of my first Google account because I have disabled all other forms of 2-step-verification. Without my passkey for my first Google account, I simply cannot log in!
Fortunately, I managed to find another way in, using an obscure logged-in session on a Chrome browser on another device. But that was a close call.
The bug was reproducible
I thought maybe I’ve made a mistake somewhere. Maybe it was my own fault. So, I decided to reproduce the steps and see if exactly the same thing happen. This time, I was careful not to disable all other forms of 2-step-verification so that I can still get in if my passkey got wiped.
So, I re-created a passkey for my first Google account and use that as one of the 2-step-verification.
Guess what?
The passkey for my second Google account was wiped on all my Apple devices!
Next, I decided to create a passkey for my third Google account. Disappointedly, the re-created passkey for my first Google account was wiped on all my Apple devices!
More details for QA testers
In iCloud Keychain, each passkey entry has a user name associated with a website. Optionally, you can also include a password, notes and OAUTH verification code in that entry.
For example, when I create the passkeys at Google‘s website by scanning the QR code, I saw a prompt to create a passkey for that user name. What happened was that in my iCloud Keychain, that passkey was added to the existing password entry in the iCloud Keychain. So, in that entry, it has:
User name (Google email address)
Password
OAUTH verification code
Passkey
Web address
That would imply that in the UI, you can choose which passkey to use for any given website. This is very similar to how passwords works.
Strange symptom
When I created the passkey for my second Google account, I noticed these unexpected things in the iCloud Keychain:
The passkey in the entry for my first Google account disappeared!
A new entry appeared: It only contain the passkey with the user name of my second Google account, along with the web address.
The entry (user name, password, OAUTH) for my second Google account was intact.
What I expect:
A new passkey to be added to the entry for my second Google account.
The existing passkey in my first Google account untouched.
However, I can only reproduce this strange symptom once. The second and third time I reproduced this bug:
As before, the passkey for the previous Google account disappeared!
A new passkey was added to the entry for the next Google account (i.e. user name, password, OAUTH, passkey, web address).
Testing on webAuthn.io
I went to https://WebAuthn.io, which is a test implementation of passkeys. This time, I was able to create multiple passkeys for that website.
The difference?
In Google‘s website, the passkey was created on the iDevice by scanning the QR code on the desktop computer. In WebAuthn.io, the passkey was created natively through the iDevice’s web-browser.
In WebAuthn.io, there was no existing entries in iCloud Keychain for that website.