My thinking is that Apple will try to gradually replace password-oriented access control with a mix of PKI and key redundancy.
Based on the company's movements towards public-key based two-factor authentication, I think they can reasonably get away with phasing out password-based account recovery by relying on two methods:
1) The user has more than one trusted device authenticated to the iCloud account; account recovery can take place using the other trusted device and passwords are not required
2) The user only has one trusted device; the user has a primary public/private key pair that encrypts all data on the client, but in addition there are 9 backup keys which are generated on the client, never transferred to Apple and (hopefully) written down by the user
In the second scenario, Apple bypasses the obstacle to full PKI-based access control by implementing authenticating key redundancy instead of authenticating device redundancy. User data can be end-to-end encrypted by each key, transferred to iCloud, and if the user loses access to the device they can recover their account data using one of the recovery keys.
Based on the company's movements towards public-key based two-factor authentication, I think they can reasonably get away with phasing out password-based account recovery by relying on two methods:
1) The user has more than one trusted device authenticated to the iCloud account; account recovery can take place using the other trusted device and passwords are not required
2) The user only has one trusted device; the user has a primary public/private key pair that encrypts all data on the client, but in addition there are 9 backup keys which are generated on the client, never transferred to Apple and (hopefully) written down by the user
In the second scenario, Apple bypasses the obstacle to full PKI-based access control by implementing authenticating key redundancy instead of authenticating device redundancy. User data can be end-to-end encrypted by each key, transferred to iCloud, and if the user loses access to the device they can recover their account data using one of the recovery keys.