Hi there,
I have a MacBook Pro M1 Max and a nearly identical setup on a Mac Studio, since I work in two different locations.
On the MacBook Pro, whenever I need to fill in a password in Safari, it prompts me for Touch ID, which I think is a great security feature.
But on the Mac Studio, which I use with a Magic Keyboard without Touch ID, I expected Safari to ask for my macOS password each time I try to autofill a password. Or a least every 5 minutes (or any different settings)
Surprisingly, that’s not what happens: Safari just fills in the password automatically.
Even worse, it also automatically authenticates when using a passkey, not just a password.
Passkey are supposedly very safe and secure, but if anybody can open my bank account just by having a physical access to my computer.. this is kinda insecure.
Of course I screen lock my computer when I'm not using it, but hey.. this is kinda stressful.
After reading several posts on Google and Reddit, it seems that this is simply how Safari behaves when there’s no Touch ID keyboard.
Am I the only one who thinks this is a huge security flaw?
Anyone with physical access, or even remote access via screen sharing, can open Safari and autofill any of my saved passwords.
Disabling “Autofill Passwords” in Safari helps a bit, but anyone can just click “Enable Autofill” again and immediately regain access, without entering any password at all.
The only time Safari asks for my macOS password is when I select "other passwords" in the autofill prompt. So I can access any passwords if I know the website, but can't access the whole keychain without entering my session password: seems kinda weird..
The potential hacker just has to guess different websites, and voila.
Worst than that, I setup passkey for some general accounts I often access, like Bank accounts, to not have to 2FA authenticate, for these I can go to the bank accounts in a blink of the eye! no password prompt, nothing.
Honestly, this feels surprisingly amateurish from Apple.
I know I can just buy a magic keyboard with Touch ID, but this is kinda weird.. and not comforting me. I thought Apple OS was really something secure.
I have a MacBook Pro M1 Max and a nearly identical setup on a Mac Studio, since I work in two different locations.
On the MacBook Pro, whenever I need to fill in a password in Safari, it prompts me for Touch ID, which I think is a great security feature.
But on the Mac Studio, which I use with a Magic Keyboard without Touch ID, I expected Safari to ask for my macOS password each time I try to autofill a password. Or a least every 5 minutes (or any different settings)
Surprisingly, that’s not what happens: Safari just fills in the password automatically.
Even worse, it also automatically authenticates when using a passkey, not just a password.
Passkey are supposedly very safe and secure, but if anybody can open my bank account just by having a physical access to my computer.. this is kinda insecure.
Of course I screen lock my computer when I'm not using it, but hey.. this is kinda stressful.
After reading several posts on Google and Reddit, it seems that this is simply how Safari behaves when there’s no Touch ID keyboard.
Am I the only one who thinks this is a huge security flaw?
Anyone with physical access, or even remote access via screen sharing, can open Safari and autofill any of my saved passwords.
Disabling “Autofill Passwords” in Safari helps a bit, but anyone can just click “Enable Autofill” again and immediately regain access, without entering any password at all.
The only time Safari asks for my macOS password is when I select "other passwords" in the autofill prompt. So I can access any passwords if I know the website, but can't access the whole keychain without entering my session password: seems kinda weird..
The potential hacker just has to guess different websites, and voila.
Worst than that, I setup passkey for some general accounts I often access, like Bank accounts, to not have to 2FA authenticate, for these I can go to the bank accounts in a blink of the eye! no password prompt, nothing.
Honestly, this feels surprisingly amateurish from Apple.
I know I can just buy a magic keyboard with Touch ID, but this is kinda weird.. and not comforting me. I thought Apple OS was really something secure.