But they can't hack your Google or iCloud account if it's secured with a passkey, unless they have some other non-phishing means of doing so, which the attacker in this story presumably did not.

▲

Symbiote 4 days ago | parent [-]

I had to reset the 2FA for a domain admin account for Google Apps earlier this year — I'm not sure if my password manager somehow lost the passkey, or if I missed creating one before some deadline. (It's a little-used domain.)

I think I requested the reset with various details, then had to wait 24 hours before continuing.

	▲	acdha 4 days ago \| parent [-]
		I feel like a lot of things would benefit from that time delay and, perhaps, an in person check like the notary ID verification AWS used to use. About a decade ago I had suggested to Google at an identity forum that they embrace a local government/organization model for their hard-landing account recovery process (since it can ultimately devolve to an ID check) by having a mechanism where you can start the account reset process and get something which could be taken to a third party to approve after they do an ID check. As people increasingly depend on things like email accounts for everything there are a constant stream of people who will lose access to their phones but could easily visit a notary, library, DMV, police station, etc. and pass a check against a pre-registered government ID.