User profile for user: KROGGORK
KROGGORK Author
User level: Level 1
16 points

YubiKey authentication

It seems to me that using yubikeys with iPhones is somewhat flawed. Yubikeys can be set up as security keys but if an iPhone becomes compromised (if for example, you are forced to tell someone the code to unlock your phone prior to them stealing it from you) then yubikeys can be added or removed without the need to authenticate with an existing key. Not only this but the iCloud password can be changed along with producing a new recovery key all with only the device's passcode. Ultimately, this means that there is no protection other than the compromised passcode and one could easily be completely locked out of ones account regardless of any form of two factor authentication as a trusted device doesn't require addition authentication. Am I right?

iPhone 12 Pro

Posted on May 2, 2023 7:53 AM

Reply
Question marked as Top-ranking reply
User profile for user: LotusPilot
LotusPilot
Community+ 2025
User level: Level 10
301,640 points

Posted on May 2, 2023 8:43 AM

You are quite correct.


If a trusted device is stolen along with its Passcode, all security measures associated with your AppleID account - whether “advanced” or involving Security Keys - can be bypassed, deleted or reset.


In addition, with knowledge of your Passcode, all account credentials and Passwords stored within your saved passwords (i.e., your Apple Keychain) are accessible with just the Passcode. In many cases, your AppleID credentials will also be stored in your Keychain; as such, from your trusted device, every single aspect of your AppleID account can be reset or compromised. If financial accounts are similarly stored in your keychain, your accounts can potentially be emptied before you even get to a telephone…


Even if you have taken steps to secure elements of your iPad or iPhone settings using ScreenTime restrictions, the ScreenTime passcode can itself be reset/bypassed with the AppleID credentials (of course, extracted from the Keychain with just the device Passcode).


In conclusion, yes, the Apple security model appears to have an implementation flaw - that permits complete AppleID compromise from a trusted device. In the circumstances that you describe, a stolen trusted device is the gateway to losing everything.

View in context

Similar questions

4 replies
Question marked as Top-ranking reply
User profile for user: LotusPilot
LotusPilot
Community+ 2025
User level: Level 10
301,640 points

May 2, 2023 8:43 AM in response to KROGGORK

You are quite correct.


If a trusted device is stolen along with its Passcode, all security measures associated with your AppleID account - whether “advanced” or involving Security Keys - can be bypassed, deleted or reset.


In addition, with knowledge of your Passcode, all account credentials and Passwords stored within your saved passwords (i.e., your Apple Keychain) are accessible with just the Passcode. In many cases, your AppleID credentials will also be stored in your Keychain; as such, from your trusted device, every single aspect of your AppleID account can be reset or compromised. If financial accounts are similarly stored in your keychain, your accounts can potentially be emptied before you even get to a telephone…


Even if you have taken steps to secure elements of your iPad or iPhone settings using ScreenTime restrictions, the ScreenTime passcode can itself be reset/bypassed with the AppleID credentials (of course, extracted from the Keychain with just the device Passcode).


In conclusion, yes, the Apple security model appears to have an implementation flaw - that permits complete AppleID compromise from a trusted device. In the circumstances that you describe, a stolen trusted device is the gateway to losing everything.

Reply
User profile for user: LotusPilot
LotusPilot
Community+ 2025
User level: Level 10
301,640 points

May 2, 2023 9:25 AM in response to KROGGORK

As suggested by Limnos, you might add your voice to the many that have already asked Apple to resolve this issue.


Every submitted report counts; your feedback might be report that finally makes the difference in getting Apple to act - and to make minor changes that will properly secure both the device, AppleID and Keychain from this significant threat/compromise.


You may choose to submit feedback under multiple categories:


iPad and iPadOS: Feedback - iPad - Apple

iPhone and iOS: Feedback - iPhone - Apple


Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

YubiKey authentication

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up