can be lost if:

  • the user loses access to their account (Apple, Windows, Google) or all devices (especially if on Android with a pre-passkey webAuthN implementation) and loses all recovery paths

  • the user loses access to encrypted information by irrecoverably forgetting the passcode

  • the user intentionally resets all devices or deletes their account

Non-duress attacks include:

  • zero-day exploits affecting the secure hardware

  • physical theft of a device, combined with a biometric workaround or an insecure passcode NEW: Apple has included an upgraded security model which avoids an attacker being able to take over a device and Passkeys simply by knowing the passcode. Obi will recommend this to users, as well as any Android equivalent.

Last updated