iCloud Keychain Gaining Password Warnings, Support for Generating Two-Factor Authentication Codes in iOS 14

[Stephen.R]

Now I keep all the QR codes in a folder inside a strongly encrypted .dmg disk image which I keep on my hard drive and also copied to a couple other places including iCloud Drive and Dropbox. Similar strategy to yours but a bit more portable I think.

That isn't really what I meant.

Services that offer 2FA will almost always (I've never seen it not done) generate about ten or a dozen "recovery keys" that look like any other generated code. The idea is that if you don't have access to your normal second factor (i.e. 2FA app on some device) you can use one of the recovery keys - no need to setup a new 2FA app or anything, you just enter the key. Once one is used, it's not re-usable.

 

[konqerror]

That isn't really what I meant.

Services that offer 2FA will almost always (I've never seen it not done) generate about ten or a dozen "recovery keys" that look like any other generated code. The idea is that if you don't have access to your normal second factor (i.e. 2FA app on some device) you can use one of the recovery keys - no need to setup a new 2FA app or anything, you just enter the key. Once one is used, it's not re-usable.

Apple doesn't offer recovery keys anymore.

I suspect if you ask people to use it, the majority will have misplaced the piece of paper. Having to keep track of a recovery key and another item to restore every time I get a new phone is one reason why I simply don't bother doing 2FA on less-critical services.

TOTP-based 2FA is obsolete, in that it doesn't protect against phishing, is a hassle to use, doesn't fix password problems, and not scalable. I have several hundred passwords saved, am I going to have several hundred pieces of paper with recovery codes?

 

[Stephen.R]

Apple doesn't offer recovery keys anymore.

Well I did say most.

I suspect if you ask people to use it, the majority will have misplaced the piece of paper.

Which is literally why I explained a different practice I use, that does not rely on a piece of paper.

Having to keep track of a recovery key and another item to restore every time I get a new phone

If you choose to use a **** implementation like Google's that's on you. There are numerous 2FA client apps that will not require you to use a recovery key and then setup everything again.

TOTP-based 2FA is obsolete

... obsoleted by what?

it doesn't protect against phishing

Perfect is the enemy of good, and all that. What do you propose as an alternative?

is a hassle to use

Completely subjective, based on the implementation you use.

doesn't fix password problems

Why would it? A good password manager fixes most password problems.

not scalable

Scalable to what? It's a random number generated from a shared seed + time, the hardware requirements are hardly demanding.
[automerge]1585811920[/automerge]

I have several hundred passwords saved, am I going to have several hundred pieces of paper with recovery codes?

No, see my earlier point about a better alternative.

 

[konqerror]

... obsoleted by what?

FIDO2. In fact its predecessor U2F fixed the MITM problem. Again, this huge hole is why Google Advanced Protection specifically blocks TOTP.

Perfect is the enemy of good, and all that. What do you propose as an alternative?

FIDO2

Why would it? A good password manager fixes most password problems.

FIDO2 fixes the password problem in one device, Microsoft is already using this for passwordless login.

Scalable to what? It's a random number generated from a shared seed + time, the hardware requirements are hardly demanding.

FIDO2 (as well as its predecessor U2F) in its normal mode is stateless while privacy preserving, allowing an infinite number of sites on any token or authenticator. This is important in applications like smart card or TPM/SE tokens where storage is highly limited.

Another issue is that TOTP is symmetric and therefore the server needs to store the same keys your phone does in a secure manner. If the data is leaked, the token is completely compromised. FIDO2 is a public key system, so the information on the server is useless if leaked.

 

[Stephen.R]

FIDO2

Safari already supports this via USB keys. Maybe Apple will add a soft token feature to support this. The Secure Enclave on iOS could definitely be used for that - but on a Mac I don't know if they have hardware which can provide the same primitives - maybe the T2?

Better security is a welcome addition but to claim that TOTP is not required because FIDO2 exists is to deny reality. Big sites, particularly where the company has a strong technical background already support things like FIDO2, but there have been TOTP solutions available as simple plugins for very basic websites (i.e. anyone with a Wordpress blog - the complete opposite of "strong technical background").

 

[Tech198]

A warning ?? That's the best Apple can do? Seriously ?

Your forced to use strong passwords at appleid website, but in iCloud key-chain its only a warning? Sometimes i can' get Apple. Its for syncing across Mac's and iOS devices...

The way Apple does things i would of thought that word wouldn't even be in their vocabulary bank.

Perhaps some apps wouldn't comply with the extra security?

 

[posguy99]

Cross platform, sure. But I'm not sure how Apple is any less trustworthy than 1Password, etc. Besides, isn't the idea behind these things that they're encrypted on your device and only exist in the cloud in encrypted form?

Apple's done a great job to date demonstrating their general incompetence wrt cloud services. I *never* put anything in any of their services I can't afford to lose.

 

[DeepIn2U]

I moved to Authy (free) around a year ago. Much better. Plus it will sync across devices and has a backup/restore option.

While moving from Authy and Bitwarden to a new and improved keychain would be nice, it needs (a) a total re-write of the MacOS app (b) an iOS app and (c) access from non-Apple apps such as Firefox. Until all three exist I'll stick with my current options.

none of these apps should have a backup/restore solution!

 

[Stephen.R]

none of these apps should have a backup/restore solution!

That's entirely dependant on whether the backups they make are encrypted or not.

 

[mazz0]

It's an open standard (or two actually - TOTP, and the less common HOTP), but is often referred to as Google Authenticator, I believe the standard started life at google.

Im a big fan of https://cooperrs.de/otpauth.html and the companion Mac app.
Syncs via iCloud, works in Safari, has a notification bar widget, very slick.
[automerge]1585773695[/automerge]

I'm not defending google's app at all, but did you not have recovery codes saved somewhere? The recommendation is usually to print them, but I've got mine all stored in notes entries in my iCloud Keychain.

Thanks dude, and thanks everyone else who answered my question!

I tried several apps and I settled on OTPAuth as you recommended. Seemed to have the best interface on iPhone and iPad (I’ll try Mac later), and just uses iCloud for syncing, not their own servers.

 

[Stephen.R]

Thanks dude, and thanks everyone else who answered my question!

I tried several apps and I settled on OTPAuth as you recommended. Seemed to have the best interface on iPhone and iPad (I’ll try Mac later), and just uses iCloud for syncing, not their own servers.

The Mac app is a catalyst app so it looks pretty similar to the iPad version, I’d imagine (I don’t have an iPad to confirm).

That it just uses iCloud (but can also export an encrypted backup to any storage you prefer) was a big plus for me too.

The trend for app developers to roll their own “cloud” for their app syncing needs is getting a bit ridiculous to me.

 

[mazz0]

The trend for app developers to roll their own “cloud” for their app syncing needs is getting a bit ridiculous to me.

Makes sense for cross platform apps I suppose. I prefer to stick with Apple and Apple-first apps (like Pixelmator) for such reasons.

 

[cmaier]

A warning ?? That's the best Apple can do? Seriously ?

Your forced to use strong passwords at appleid website, but in iCloud key-chain its only a warning? Sometimes i can' get Apple. Its for syncing across Mac's and iOS devices...

The way Apple does things i would of thought that word wouldn't even be in their vocabulary bank.

Perhaps some apps wouldn't comply with the extra security?

What would you like Apple to do? They can’t force you to use any particular password.

 

[ignatius345]

Apple's done a great job to date demonstrating their general incompetence wrt cloud services. I *never* put anything in any of their services I can't afford to lose.

Huh, ok. That hasn't really been my experience. I moved from Dropbox to iCloud Drive a couple years ago and it's been very solid. I miss Dropbox's transparency about what's syncing and when, but other than that I'm very happy with the switch. Same with the other iCloud services like Photos -- they run rock solid for me and without the horrible crapware that Dropbox started turning into.

As far as trust, I don't entirely trust ANY cloud service. After all, it's a server I don't control, so I always make sure to maintain full control of my own files. I have my iCloud Drive and iCloud Photos set to download everything onto my main iMac, and from there have local backups via Time Machine and a separate Carbon Copy Cloner drive kept offsite in case of disaster. If iCloud takes a dump on me, I still own my data.

On my secondary machines (laptop, iPhone), I have the luxury of using iCloud to sync whatever I'm actively using and nothing else -- but I know that main machine has the master version and backups. I'd be mighty uncomfortable just trusting iCloud (or Dropbox or Google) with my only copy of everything.

 

[jeyf]

i looked into re starting iCloud keyChain and well NOT:
seems keychain has no decent way of editing entries over the years and it has accumulated tons of junk
just a wast land of dead devices web sites and their permissions

with apple's crippling lack of quality, high cost, lack of customer support; reluctant to go deeper into the apple environment.