Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iCloud Keychain Gaining Password Warnings, Support for Generating Two-Factor Authentication Codes in iOS 14
- Thread starter MacRumors
- Start date
- Sort by reaction score
It's a google implementation of the standard. You can read the RFC here (https://tools.ietf.org/html/rfc6238).
I used to use google authenticator until it wiped out all my codes during an upgrade. Wow, those were a pain to replace. Never again.
Lol, you just compared iCloud keychain to a password manager w/ zero mobile support..... that is dependent on paying a subscription.
Let that last part sink in.
Wouldn't that be essentially ransomware at that point? 2 years into retirement... you no longer have ANY need to rent Office365; yet like clockwork, you get notices that if you let your subscription lapse, you’ll no longer have access to your passwords.
Sounds messy.
This is a perfect example of why the average consumer has no privacy or security these days. Save a few bucks by selling your privacy particularly for a security-critical product.
How is a free password service going to make money? By selling your personal data. I remember not that long ago, one free password manager came up with stats like what the most common passwords were. I wonder how they got that info?
Even if they aren't looking at your passwords, they're going to track the sites you use them on. What do you think a browser extension that scans every webpage for password fields is going to do?
Apple is doing the same thing. Except instead of a subscription, you're going to have to buy new Apple hardware when the new iOS version featuring some new password feature isn't supported on your old phone.
The correct answer is another question... why in the world are you using SMS for 2FA?
i am surprised by this to be honest. Seems too complicated for Apple who won't even let me lock individual Apps or at least the "hidden" album. I encounter so many people who do not understand it as it is. Starting with my family. So many calls of aunts and uncles alike asking me what their passwords are, let alone what "2 factor authentication" is 
"why is my password not working. its correct!"
- "which one are you using?"
"the one from my email? its called gmail no?"
-"thats not your apple id password ..."
"what is id apple? huh?"
now it is asking me security questions and i dont understand how apple knows what my favorite book is?!? that is scary
"why is my password not working. its correct!"
- "which one are you using?"
"the one from my email? its called gmail no?"
-"thats not your apple id password ..."
"what is id apple? huh?"
now it is asking me security questions and i dont understand how apple knows what my favorite book is?!? that is scary
Because many services only support SMS for 2FA, including banks, cell phone companies, utilities, etc. It's an issue of user access and recoverability.
One, grandma is never going to figure out Google Authenticator TOTP type systems. Second, if you lose your phone, you can get a new one on the same number by going to your phone company. People are never going to manage printed out backup codes and there's real situations where those would normally be lost, i.e. house burned down.
Despite all the whining from security nerd bloggers, SMS 2FA offers a reasonable trade-off between usability, availability and security for low to medium risk applications.
Sites tend to mention Google Authenticator specifically, but as others have said this is all based on a standard - there's nothing magical about Google's implementation. I like the iOS app OTP Auth for this purpose.
I'd like to find a well-made macOS implementation that wasn't basically just an iOS app running on Catalina. The interfaces for these apps all tend to be way too phone-camera centric. The few I've tried on my Mac are all painfully clunky to use.
No thanks. I'll stick with an open source password manager and a separate MFA solution. Sticking both into the same cloud-based service is asking for trouble.
That is why I love the 2FA feature in 1Password. It is usually easy to setup and even easier to use. The only reasons I would not use 1P for 2FA are: (a) website does not support TOTP 2FA, (b) 1Password itself (I use Microsoft Authenticator) for that, (c) Microsoft websites and (d) Apple. (I wish Apple would allow the use of 2FA other than their current implementation, from what I have seen, it is just a TOTP implementation.)
I would consider using iCloud Keychain if it had a means to easily import and export passwords.
Maybe, that's why I never use it. I admin my passwords through Safari. almost never open keychain, and almost never have to. Perfectly happy, nothing to see here folks
My wife used 1password. It became corrupted and she lost all her passwords. Not saying there isn't any user error, I never speak for others, but that kind sucks. I use iCloud password, always have. It's awesome, I could care less about any of the this pwd mgr is better than that one. iCloud works, and I am totally happy with it.
I think that heavily depends on either a widely implemented standard for sites to describe their password rules (which would be ideal), or Apple maintaining a huge (and constantly changing) list of rules discerned for tens of thousands of websites (which would be a mess).
[automerge]1585773360[/automerge]
I moved from Authy (a year or two ago) to 1Password's built-in 2FA handling. Much better than Authy. When I fill in a password using 1Password, it copies the necessary one-time code to the clipboard so it's easy to fill in. I also have the one-time codes available in the 1Password app on my watch. Also, Authy's "backup" system creeped me out a little, while the 2FA codes in 1Password are handled just like all the other passwords, with all the same security options.
[automerge]1585773499[/automerge]
I've been very happy with the way 1Password handles 2FA. Worth a look.
Last edited:
It's an open standard (or two actually - TOTP, and the less common HOTP), but is often referred to as Google Authenticator, I believe the standard started life at google.
Im a big fan of https://cooperrs.de/otpauth.html and the companion Mac app.
Syncs via iCloud, works in Safari, has a notification bar widget, very slick.
[automerge]1585773695[/automerge]
I'm not defending google's app at all, but did you not have recovery codes saved somewhere? The recommendation is usually to print them, but I've got mine all stored in notes entries in my iCloud Keychain.
Cross platform, sure. But I'm not sure how Apple is any less trustworthy than 1Password, etc. Besides, isn't the idea behind these things that they're encrypted on your device and only exist in the cloud in encrypted form?
[automerge]1585775640[/automerge]
I didn't know to do this when I first started setting up the codes, and lost a bunch on an iPhone upgrade a few years ago. Was irritating to set them all back up, but I did get back into all my accounts. Definitely worth taking a screenshot when you set up 2FA, as long as you're careful about where you keep them.
Now I keep all the QR codes in a folder inside a strongly encrypted .dmg disk image which I keep on my hard drive and also copied to a couple other places including iCloud Drive and Dropbox. Similar strategy to yours but a bit more portable I think.
[automerge]1585776043[/automerge]
I don't think it's whining. People have been hacked through phone number hijacking attacks. So, if a more secure alternative exists why not use it?
But yeah, a lot of banks and other orgs are still in the stone age and insist on texting login codes. I read somewhere that it's a bit more secure to at least tie your SMS 2FA to a Google Voice number you don't use for anything else. Harder for an attacker to hijack, and it's a number that's not floating around out the world like your main cell number.
Last edited:
I deploy MDM to BYOD and company issued iPhones to execs and designated staff. Not having to download separate app is very appealing to administrators since it's one less app the end user will have to download when configuring the device for corporate access.
Anyone can share the shortcut that allows me to go directly to iCloud passwords from the homescreen instead of opening settings first.
TOTP is vulnerable to MITM/phishing attacks, so you shouldn't use it either. In fact, it is trivial to exploit when you just throw up an extra screen on the phishing page. Indeed, Google Advanced Protection blocks TOTP, along with SMS.