iOS 15 Includes Built-In Password Authenticator With Autofill, Replacing Google Authenticator and Authy

[riverfreak]

It isn't much better with being stuck with only being able to have codes active in one app. If Authy, OTP Auth, or another 2FA app goes down and you use that app, it makes life very messy. It would be nice to be able to have codes loaded in 2 different apps to help prevent a bad scenario.

That’s why you should always, always, always save the recovery codes generated when you enable TOTP based 2FA.

If you use something like 1Password, you can save them there (something you still can’t do in Apple’s anemic password management). You can also take a screen cap of the QR code (or save the text string) and re-seed 2FA apps at a later date, although this doesn’t always work as some sites also cycle those codes.

 

[jarman92]

Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages.

Well, If you enable Messages over the iCloud and iCloud backups, Apple and Authorities can access your msgs through your iCloud backups. Simply because the encryption of your backups is done with Apples own private key. Once they download your backup and decrypt it with *their* key, they can access your private keys and decrypt your messages by using your private key.

Just Apple Marketing Mumbo Jumbo, to make people feel more secure...
And I bet they have plenty of *cough, cough* undiscovered backdoors build-in...

Yeah that’s why Apple launched a very public and potentially very damaging campaign against the FBI for asking them to decrypt phones. It was all just an elaborate ruse to cover all their “undiscovered backdoors.” 🙄

 

[Wildkraut]

Yeah that’s why Apple launched a very public and potentially very damaging campaign against the FBI for asking them to decrypt phones. It was all just an elaborate ruse to cover all their “undiscovered backdoors.” 🙄

As you said, a campaign a.k.a. marketing, till probably the National Security Letter flew in, prohibiting them to continue talking about and prohibiting them to close these pooly hidden backdoor through the non-encryption of iCloud backups, and probably more.

Or do you really believe a company like Apple can’t build a fully encrypted iCloud service? It’s all made on purpose, with ways to access all the data, the 0815 employee can’t for sure, but there are ways.

 

[aajeevlin]

That’s what I’m doing, sticking with 1 password. What I’m curious what apple will do in terms future app approval of features with apps like enpass and 1Password when their 2FA comes out.

I feel like they should be okay (or so I hope)? I mean one-time 2FA is just a very small part of what Apple doesn't offer. 1Password also offers a other more advanced feature.

If you don't mine me asking, do you use 1Password online subscription? I have a very old license I bought many years ago, it still works and I"m very happy that 1password is still workingon the current OS. But I suspect that won't last for a couple more years. Also, as the family gets bigger it helps to be able to share passwords and such. My biggest hang up is that the new 1password is stored online. I wonder how secure it is...

 

[one more]

Very good this one! I wonder if we will be able to import the codes from our other existing 2FA apps into this one? With some sites/services it is not so easy to regenerate the keys.

 

[MacBH928]

I don't know understand 2FA apps, how does it know its me? What happens if I loose the device or delete the app?

When its a phone number, I can always go back to the telephone company and show them my ID and re-issue me a sim chip with my phone number.

 

[macintoshmac]

Very good this one! I wonder if we will be able to import the codes from our other existing 2FA apps into this one? With some sites/services it is not so easy to regenerate the keys.

I just set up my MacRumors 2FA key from 1Password to Apple. Works fine, both show the same key. I like this. Now, if only Apple would not delete my passwords if I accidentally disable iCloud Keychain on all devices, this would be a free and perfect solution for everyone who uses only the Apple ecosystem.

 

[macintoshmac]

As you said, a campaign a.k.a. marketing, till probably the National Security Letter flew in, prohibiting them to continue talking about and prohibiting them to close these pooly hidden backdoor through the non-encryption of iCloud backups, and probably more.

Or do you really believe a company like Apple can’t build a fully encrypted iCloud service? It’s all made on purpose, with ways to access all the data, the 0815 employee can’t for sure, but there are ways.

What's a 0815 employee?

 

[Wildkraut]

What's a 0815 employee?

Sorry a German idiom, we use it for things that are e.g. meaningless, average, mediocre or low quality.

Origin:

How to use the unusual German phrase ’08/15′

Today’s phrase of the day might seem like an arbitrary number – but it is far more than that.

www.thelocal.de

 

[bob24]

I feel like they should be okay (or so I hope)? I mean one-time 2FA is just a very small part of what Apple doesn't offer. 1Password also offers a other more advanced feature.

If you don't mine me asking, do you use 1Password online subscription? I have a very old license I bought many years ago, it still works and I"m very happy that 1password is still workingon the current OS. But I suspect that won't last for a couple more years. Also, as the family gets bigger it helps to be able to share passwords and such. My biggest hang up is that the new 1password is stored online. I wonder how secure it is...

I am still using a stand-alone licence as well with iCloud synchronisation of the 1Password library. I actually like it better that way and I have no interest in their subscription service with their own cloud.

But as you said, to be honest they have been extremely generous in terms of how long they keep supporting the iOS and MacOS apps based on a once-off licence (I can't even remember last time I paid for it), and I suspect when they decide to stop supporting it they will move to subscription-only :-s (which is a non-starter for me, I would pay for a new licence but I don't like subscriptions)

I'm definitely sticking to 1Password for now as one with the authenticator addition Apple's solution isn't as advanced. But if I am ever forced to go for a subscription for 1Password I will have to reconsider.

 

[urnotl33t]

Oh anything does pushes is magical. Okta Verify, Duo, Ping ID are great. I actually get super annoyed at Google MFA and Microsoft Authenticator that give you the push but then have to launch the app to "approve". Authy on my watch is used heavily for when I'm signing into apps like my home control that need that 2FA authentication token. Keep watching WebAuthn development hoping it catches on. The biggest question I always ask for that technology is how to easily manage more than one token.

You can approve Microsoft Authenticator pushes from the notification message. I do that from my Apple Watch regularly. On iPhone, swipe left on the notification and you get options. View, then Approve. Or long press, maybe. (I don’t have a force/3D touch iPhone). I just use my Watch nearly exclusively.

 

[TriBruin]

Until Apple says that it will be available on Windows, then I’m expecting that you must use Safari or on a Mac, iPhone, or iPad.

Apple’s track record with windows apps suck and not expecting it to get better.

It looks like Apple is promoting that there will be an extension for Edge. In theory that should mean it can run on Windows since the extension should be platform agnostic. Interesting that they mentioned Edge and not Chrome. I know I can install Chrome extensions in Edge, wonder if we can install an Edge extension directly to Chrome since they use the same engine?\

I would never ever use these authenticators. I lost my iPhone a couple of years ago and had no way to regain access to accounts that.

That is like saying "I won't ever lock my front door again because I once lost my key chain". Most 2FA applications allow you to back up you keys (except Google Authenticator). If you were using a solution that did not backup your keys, that is you mistake. Also, every website that uses TOTP provide a setup of backup codes that can be saved or printed if you ever do lose access to your device.

That’s what I’m doing, sticking with 1 password. What I’m curious what apple will do in terms future app approval of features with apps like enpass and 1Password when their 2FA comes out.

Never happen. 2FA is fairly standard feature in most password apps. To force developers to remove a basic feature would definitely face charges of being non-competitive.

 

[Wreckus]

Never happen. 2FA is fairly standard feature in most password apps. To force developers to remove a basic feature would definitely face charges of being non-competitive.

Maybe it’s just me wishing apple brings better and more of their services to windows but it feels like Apple is trying to get users to use only their goods and services and giving a big middle finger to windows users.

 

[jonnysods]

It's also available on macOS, iOS and iPadOS.

On Macs, you don't have to use Safari for the codes. It's also under System Preferences > Passwords. I believe it will be synced with iCloud Keychain.

Perfect that's good to know!

I have the google authenticator app - I've tried iCloud backups and then local physical via Finder, and I seem to lose the codes out of it. Just having it in keychain would be a life saver.

 

[jarman92]

Or do you really believe a company like Apple can’t build a fully encrypted iCloud service? It’s all made on purpose, with ways to access all the data, the 0815 employee can’t for sure, but there are ways.

How’s that tinfoil hat fitting?

 

[perrypetrie]

Since i'm mostly on windows PC's now, think i'm going to move away from iPhone & iPad.

this news solidifies it as how the hell are you suppose to get apple 2FA on windows if Sarfari isn't on windows.

I mean.. you don’t have to use this feature. There’s other apps that can do it for you like Bitwarden. It syncs with Windows and even has 2FA which copies the code from the app and you just paste it into the site.

 

[Cigsm]

It is store encrypted in the cloud.

in fairly confident that passwords are stored on device only. Hence when you turn off keychain on your devices And turn it back on, the passwords are gone.
From my understanding, the device pushes the passwords temporarily to iCloud to push to the other devices, then deletes it from the cloud.

 

[Apple_Robert]

in fairly confident that passwords are stored on device only. Hence when you turn off keychain on your devices And turn it back on, the passwords are gone.
From my understanding, the device pushes the passwords temporarily to iCloud to push to the other devices, then deletes it from the cloud.

Thanks for the post. I will reread the support docs when I get the chance. I may have misinterpreted what I read.

 

[jarman92]

When its a phone number, I can always go back to the telephone company and show them my ID and re-issue me a sim chip with my phone number.

There’s the problem—the phone companies have zero security measures and have been known to activate SIMs for anyone who calls, so that person can intercept your texts and 2FA codes. The SMS network is also notoriously easy to hack into. Activating 2FA with SMS codes is slightly better than no 2FA at all, but far less secure than a standalone authenticator app.

 

[uandme72]

How to use this feature?

 

[jettredmont]

Maybe someday Apple will even let you see your keychain's secure notes on iOS and iPadOS.

This is good news for people who use Apple's Keychain, but really it's a second-rate password manager.

The "Notes" app on iOS, macOS, etc can secure notes. They are different (apparently since my Notes secure notes don't show up in Keychain Access), but appear to be similarly protected. When I moved from 1Password, that's where all my "notes" ended up.

 

[Stromos]

You can approve Microsoft Authenticator pushes from the notification message. I do that from my Apple Watch regularly. On iPhone, swipe left on the notification and you get options. View, then Approve. Or long press, maybe. (I don’t have a force/3D touch iPhone). I just use my Watch nearly exclusively.

We have pin enabled so the notification launches the app to validate faceId or pin to accept the push

 

[jettredmont]

No? And where do you think your keychain is, or how it syncs between iPhone,iPad,Mac?
It surely is...

Only if you have iCloud Keychain Recovery enabled so that if you lose all your devices then you can still recover.

Otherwise, as described upstream in this very comments section (which is based on Apple's descriptions from 2014 on about how iCloud Keychain Sync works), iCloud is used as a transit mechanism between the devices, but keychain items are not stored long-term on iCloud at all (and in transit they are AES-256 encrypted IIRC).

 

[telo123]

Need password protection for Authenticator app. When someone snatches your phone while unlocked all these 2-factor passwords are exposed.

You need another scan of FaceID or TouchID or know the passcode to unlock the Passwords Menu on System preferences (macOS) and under Settings (iOS/iPadOS). If the thief knows your passcode, then yeah, it'll be game over. However, I believe if you're fast enough, then you can lock or erase the iPhone using Find my iPhone.

 

[telo123]

Not following at all. Right now I log into any machine not just my Mac and I can pull up a MFA code via Authy on my phone or watch. Easy. If you're saying moving to keychain means I need to go digging in settings on my iPhone when I need a code is not easy or convenient.

The other reason I hate keychain. Apple has gone out of their way to prevent exporting. So secure if I want to move passwords elsewhere I can manually copy them to Keepass over a couple hours.

Great features if you only use Keychain. As always doesn't play well with others because Apple.

What I am saying is that the codes can be treated as any other 2FA code app. If you're on your work computer, then simply pull up your iPhone if you need to access a personal account. It is not hard to load up passwords either. You can quickly spotlight "Passwords," if you wish. For any who may be concerned about that, Passwords on Settings (iOS) or System Preferences (macOS) require additional unlock by Face/Touch ID or the passcode to unlock that menu.

You can now export and import passwords in Monterey, which will then be synced with iOS and iPadOS.

You cannot import or export using your iOS/iPadOS devices, however.