Apple Passkey Flawed, Poses Security Risk

I am dealing with a domestic cyberstalking situation and have an ex who seems to know entirely too much about my whereabouts, so I have been attempting to systematically triple lock down every email account, social media, home security account (digital door lock, router, camera accounts, etc). The only issue I’m still facing is there seems to be another device that is appearing in the devices section for my Apple ID. It is labeled as similarly to how my Lenovo Yoga appears, except it says windows 10.0, but underneath it says iPhone. I will delete it, but it reappears. I haven’t had my Apple ID password stored in my keychain for several months now, and I change it almost weekly, because until about a week ago, this person was still living in my home, although I slept in my room with the door locked trying to prevent him from accessing my phone.

I have never created a passkey for my Apple ID, on my devices or any other, however, I was still able to log on to my iCloud account via browser on my Yoga using my iPhone. I am concerned because there seems to be a way to create and store passkeys to your Apple ID on devices that are not associated with your Apple ID. Theoretically, if this person had somehow gained access to my phone, maybe they looked over my shoulder at passcode, perhaps they could have given themselves access on their device at one point, which is now saved indefinitely? If this isn’t concerning enough, there does not appear to be a way to disable, delete, or otherwise manage passkeys for your Apple ID. Like I said, my password has not been saved in my phone for a long time, and it’s been changed probably 8 times since it was. I have toggled the options “off” for “Use iCloud Keychain for Passkeys and Passwords” in Password Settings, but I am still able to use a passkey to log in to my iCloud.com account on my Yoga. There is no way to know what devices have a passkey stored for my account.

To me this is an egregious, negligent oversight by Apple that could harm countless domestic abuse victims and stalking victims and anyone who might have a phone stolen, etc.

Apple needs give users complete control over this Passkey Feature. Why are we being forced into this? I want the option to use a passkey, I do not want one created for me. I want a list of passkeys that have been created and on what devices with a log of when they were created and used to access my account. And I want the right to delete and disable them instantly and permanently. I want the right to disable Passkeys as a whole if that’s what’s best for me.

Come on, Apple. I thought you were better than this.