This definitely needs to be improved!
Google is the same. If you have the PIN to the phone, you can change the Google password so could lose access to everything.
One of the reasons I use Samsung Pay is it has a dedicated PIN. You can’t bypass the biometrics for payments with the phone passcode like Apple/Google allows.
It’s a concern that after the LastPass issues, I know a few people who are saying they’ll just store everything in Apple/Google. I considered it, but this is the downside of doing that.
That is the problem, when a device becomes the centre of your identity. You need to treat it as such, but most people don’t.
My OTPs are protected by a separate passcode and FaceID, the same for my passwords.
Additionally, my bank requires a separate TAN generator, which works with my card, I have to insert my bank card into the device and hold it against the screen to read animated barcodes, it then generates an unique TAN that I’d only valid for the recipient bank account and the value of the transaction - this also stop’s man in the middle attacks, because the account number displayed on the device and the amount of the transaction wouldn’t match what you had entered, so you wouldn’t enter the TAN into the App/browser.
One potential problem with Apple devices (and maybe Android ones) is the ability to use that device to authorize another one to be added into your “profile”. What if the thief steals your phone unlocked long enough to add the thief’s chosen device to your account to sync all your data and then arranges for you to think your phone is returned to you. Would you know enough to find that device in the list and remove it? I don’t know if the servers treat newly added devices any special way… and if they did, wouldn’t that be annoying when you added the device yourself?
Yes, I think Apple needs to really change the way they do that. I really wish. They should make you use both Face ID and passcode to authenticate a new device.