Today I downloaded a copy of my data from https://privacy.apple.com, Apple's Data and Privacy website. (For some reason it took 5 days after my request for the data to be ready for download.) I highly recommend that you download your data too, because you might be shocked how much Apple has on you. Apple's advertisement "What happens on your iPhone stays on your iPhone" appears to be a blatant lie. My purpose in downloading my data wasn't to go on a fishing expedition, though. I was just looking for my old reviews of movies and TV shows on the iTunes store, which were indeed included in the downloads. I like to keep a copy of reviews to remind myself what I've watched and liked or disliked. Anyway, browsing through the data downloads, I found a file "Passkeys Information.csv" (comma-separated values, readable by Numbers app, for one) in the "Apple ID account and device information" section of the data. The contents of this file disturbed me for several reasons.
First, I don't even use passkeys! I've written about passkeys before and why I avoid them. Unfortunately, Apple's passkey implementation requires iCloud Keychain. I don't want to use anyone's cloud service—not Apple's, not Google's, not 1Password's—because I don't want to place my credentials database under someone else's control and because I don't trust the availability and reliability of cloud sync. I prefer to manage credentials myself. Thus, I was surprised to find two passkeys in the "Passkeys Information.csv" file. I don't recall ever creating a passkey.
The csv file lists the created date and last used date of the passkeys, which were the same: July 25, 2023. Coincidentally, that was the same day I installed iPadOS 17 beta 4:
The latest iPadOS beta seems to have silently enabled iCloud Keychain.
(Although I don’t actually have any passwords on the iPad.)
I've discussed this bug before. What I didn't realize until now is that enabling iCloud Keychain also automatically generated apple.com passkeys. I must have missed it at the time or forgot, but Apple automatically assigned passkeys to users of iOS 17, iPadOS 17, and macOS 14 Sonoma. Since passkeys require iCloud Keychain, it makes sense that this happened the exact same time that iCloud Keychain was (forcibly) enabled on my iPad. However, I seem to have lost the passkeys when I manually disabled iCloud Keychain, because the new Passwords app in iPadOS 18 shows zero passkeys. I have no idea how to revoke the lost credentials on Apple's systems.
Back to the "Passkeys Information.csv" file. It has two rows for the two passkeys (I don't know why there are two rather than one) and eleven columns. The columns are Created Date and Last Used Date, as I've already noted, as well as Credential ID, Device IP Address, Device Name, Device Serial Number, Device UDID, Domain, Hardware Model, Key ID, and Public Key.
The Device IP Address is "NA", fortunately, and the Key ID is 1. The Domain is apple.com. The Hardware Model is iPad, as is the Device Name, which I assume is the same as the name in the About section of General Settings. The Device Serial Number is the last four characters of my iPad's actual serial number and * characters for the rest. The Device UDID is my iPad's actual full UDID, with no characters anonymized. The Credential ID appears to be Base64 for one passkey and a string of hexadecimal digits for the other passkey; I don't know what they represent, but hopefully they're just random. I assume that the Public Key is part of the cryptographic key pair used by passkeys for authentication.
My question is, why does Apple have all of this personal, private information, stored in plain text? Is that how passkeys always work? Does every website where you login with a passkey get your device model, name, UDID, and last 4 characters of your device serial number? I have no idea. I don't know how passkeys are implemented. But it's something we ought to know, something that passkey vendors ought to tell us. The privacy implications of widely distributing that information are disturbing. Downloading my data from Apple has brought more questions than answers.