Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iOS 15 Includes Built-In Password Authenticator With Autofill, Replacing Google Authenticator and Authy

Trenches said:
Yes, but it's end-to-end encryption. The poster could have meant that the plaintext passwords never hit the iCloud. Or I could just be giving them a free way to wiggle out of an argument. :D

The meat of end-to-end encryption is that, "the messages are encrypted by the sender but the third party does not have a means to decrypt them, and stores them encrypted. The recipients retrieve the encrypted data and decrypt it themselves."

But this topic landed me on this page (Apple Support: iCloud security overview) which was very clarifying for me. 128-bit AES encryption is indeed "industry standard", but it can be decrypted. Unless end-to-end encrypted, the private keys would need to be stored on Apple's servers because the same key used to encrypt is the key used to decrypt.

What I'm not really sure about is why law enforcement seems to have readily available access to iCloud Backups but not Messages. That article seems to imply that they would have access to stored messages, but it may be that end-to-end encryption also plays a role in Messages too. If not, hopefully that is introduced here at WWDC. Still reviewing updates! Lots of posts today!
Click to expand...
Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages.

Well, If you enable Messages over the iCloud and iCloud backups, Apple and Authorities can access your msgs through your iCloud backups. Simply because the encryption of your backups is done with Apples own private key. Once they download your backup and decrypt it with *their* key, they can access your private keys and decrypt your messages by using your private key.

Just Apple Marketing Mumbo Jumbo, to make people feel more secure... :)
And I bet they have plenty of *cough, cough* undiscovered backdoors build-in...
 
  • Disagree
  • Like
Reactions: jettredmont, Nütztjanix, peanuts_of_pathos and 2 others
Wildkraut said:
Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages.

Well, If you enable Messages over the iCloud and iCloud backups, Apple and Authorities can access your msgs through your iCloud backups. Simply because the encryption of your backups is done with Apples own private key. Once they download your backup and decrypt it with *their* key, they can access your private keys and decrypt your messages by using your private key.

Just Apple Marketing Mumbo Jumbo, to make people feel more secure... :)
And I bet they have plenty of *cough, cough* undiscovered backdoors build-in...
Click to expand...
So, are you worried about someone getting a warrant for them to do that? They can get warrants for your own backups at your home too.
 
  • Like
Reactions: peanuts_of_pathos
FindingAvalon said:
So, are you worried about someone getting a warrant for them to do that? They can get warrants for your own backups at your home too.
Click to expand...
I'm not worried, my stuff is fully encrypted on my own server, far from the internet, with few hardware firewalls in-between, and honeypots. :p Just a gun right on my head might make me decrypt it... but this is very unlikely gonna happen, compared to the higher risk of an attack on Apples infrastructure and iCloud dumps.

I see "The Fappening Reloaded" coming!
 
  • Like
Reactions: peanuts_of_pathos
Wreckus said:
Since i'm mostly on windows PC's now, think i'm going to move away from iPhone & iPad.

this news solidifies it as how the hell are you suppose to get apple 2FA on windows if Sarfari isn't on windows.
Click to expand...
Hmm I think you are misunderstanding how this is supposed to work, it would be like the stand alon authenticator apps from google or microsoft. Where you have a collection of code generators for 2FA so even with the other apps it wouldn't matter if you are on windows or macos or the browser.
 
  • Like
Reactions: jettredmont and FindingAvalon
Wildkraut said:
I'm not worried, my stuff is fully encrypted on my own server, far from the internet, with few hardware firewalls in-between, and honeypots. :p Just a gun right on my head might make me decrypt it... but this is very unlikely gonna happen, compared to the higher risk of an attack on Apples infrastructure and iCloud dumps.

I see "The Fappening Reloaded" coming!
Click to expand...
The fappening occurred via social engineering and had nothing to do with Apple’s security. Additionally, Apple encrypts user keys and I’m sure they keep their own keys offline.
 
  • Like
Reactions: jettredmont and Cigsm
FindingAvalon said:
The fappening occurred via social engineering and had nothing to do with Apple’s security. Additionally, Apple encrypts user keys and I’m sure they keep their own keys offline.
Click to expand...
Beeeeep - wrong, Apple didn't secure iCloud decently against brute-force attacks.

It was possible to use the over social engineering gathered infos and shoot uncountable passwords against the iCloud authentication interface, which didn't limit nor delay the tryouts.

I still can see "The Fappening Reloaded" coming!
 
  • Disagree
  • Like
Reactions: jettredmont and peanuts_of_pathos
Trenches said:
Yes, but it's end-to-end encryption. The poster could have meant that the plaintext passwords never hit the iCloud. Or I could just be giving them a free way to wiggle out of an argument. :D

The meat of end-to-end encryption is that, "the messages are encrypted by the sender but the third party does not have a means to decrypt them, and stores them encrypted. The recipients retrieve the encrypted data and decrypt it themselves."

But this topic landed me on this page (Apple Support: iCloud security overview) which was very clarifying for me. 128-bit AES encryption is indeed "industry standard", but it can be decrypted. Unless end-to-end encrypted, the private keys would need to be stored on Apple's servers because the same key used to encrypt is the key used to decrypt.

What I'm not really sure about is why law enforcement seems to have readily available access to iCloud Backups but not Messages. That article seems to imply that they would have access to stored messages, but it may be that end-to-end encryption also plays a role in Messages too. If not, hopefully that is introduced here at WWDC. Still reviewing updates! Lots of posts today!
Click to expand...
iMessage is E2EE, iCloud backups aren't. That's why.

Technically Apple could mitm attack iMessage even though it's E2EE, but it has to be more deliberate. Say they want to know what you're telling Bob. They'd make their own set of keys and tell your devices, this public key is Bob's. Then you message Bob, Apple receives the message and reads it, and they relay it to Bob's actual devices.

Anyway, whether or not your data is E2EE, it's considered to be "in the Cloud."
 
Wildkraut said:
And the iCloud backups includes the keys to decrypt messages.
In other words, an on purpose backdoor.
Click to expand...
I'm not sure about that. I think the messages are just stored in the backups like any other data and are therefore accessible. Where do you see that the iMessage keys are too?

The difference being that if you disable iCloud backups, they shouldn't know how to decrypt your future messages.
 
hot-gril said:
I'm not sure about that. I think the messages are just stored in the backups like any other data and are therefore accessible. Where do you see that the iMessage keys are too?

The difference being that if you disable iCloud backups, they shouldn't know how to decrypt your future messages.
Click to expand...
Right here Sir... https://support.apple.com/en-us/HT202303

Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages.
 
  • Like
Reactions: peanuts_of_pathos
FightTheFuture said:
Noice. 2-Factor was my only hold out with 1Password. Been holding my 1Password license since version 6.
Click to expand...
Same here, Bought it back in version 6. I need to see how easy this is to use, the other good thing about 1password is that you can control your dataabse. I need to be sure there is now way I can screw myself over....haha
 
telo123 said:
Then just go on your iPhone and under the Password in Settings, just like pressing Authy or whatever else on your phone to log onto something else.
Click to expand...
Not following at all. Right now I log into any machine not just my Mac and I can pull up a MFA code via Authy on my phone or watch. Easy. If you're saying moving to keychain means I need to go digging in settings on my iPhone when I need a code is not easy or convenient.

The other reason I hate keychain. Apple has gone out of their way to prevent exporting. So secure if I want to move passwords elsewhere I can manually copy them to Keepass over a couple hours.

Great features if you only use Keychain. As always doesn't play well with others because Apple.
 
Wildkraut said:
Right here Sir... https://support.apple.com/en-us/HT202303

Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages.
Click to expand...
Below it, it says
> When you turn off iCloud Backup, a new key is generated on your device to protect future messages and isn't stored by Apple.

So if you have it off then turn it on, I'm not sure if they also change the keys so Apple doesn't instantly gain access to your old messages that you don't have stored but they might.
 
  • Like
Reactions: peanuts_of_pathos
Need password protection for Authenticator app. When someone snatches your phone while unlocked all these 2-factor passwords are exposed.
 
humole said:
Hmm I think you are misunderstanding how this is supposed to work, it would be like the stand alon authenticator apps from google or microsoft. Where you have a collection of code generators for 2FA so even with the other apps it wouldn't matter if you are on windows or macos or the browser.
Click to expand...
Until Apple says that it will be available on Windows, then I’m expecting that you must use Safari or on a Mac, iPhone, or iPad.

Apple’s track record with windows apps suck and not expecting it to get better.
 
Don't know what I'll do...
On one hand I'm satisfied with authy, on the other I'd love to minimize the amount of accounts and apps in my digital life.

We'll see...
 
Wreckus said:
Until Apple says that it will be available on Windows, then I’m expecting that you must use Safari or on a Mac, iPhone, or iPad.

Apple’s track record with windows apps suck and not expecting it to get better.
Click to expand...
Ages ago, back in early high school, I had a first gen iPod shuffle (actually my first apple device) and I rember how awful itunes was on windows...
Dark days indeed...
 
hot-gril said:
Below it, it says
> When you turn off iCloud Backup, a new key is generated on your device to protect future messages and isn't stored by Apple.

So if you have it off then turn it on, I'm not sure if they also change the keys so Apple doesn't instantly gain access to your old messages that you don't have stored but they might.
Click to expand...
Apple has the access key to open messages that are stored in the cloud. That is why it is not a good idea to use iMessage in the cloud or back-up your devices to the cloud. When you do that, a access key (Apple backdoor) is also uploaded. That is how Apple can gain access to turn your stuff over the the authorities.
 
I would never ever use these authenticators. I lost my iPhone a couple of years ago and had no way to regain access to accounts that.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back