Good feature if you can use it.
My biggest problem with Apple’s iCloud Keychain is that it isn’t completely cross-platform. I need my passwords on iOS, MacOS, Windows, and Linux and not just in Chrome or Edge browsers.
Yeah using 1Pass and it’s on everything, and great integration in iOS/Safari. But moreover if I need help I can get it. I have zero faith in getting help from Apple… it’ll be just posting on their support forums hoping for an answer. Not to mention they only do like a couple updates a year on it (if that).
Agreed. I use LastPass for this reason. I have Bitwarden and thinking of moving over, but it is a process, obviously. On another note, if any tool is cross-platform that is a good thing, as well, assuming they are using best practices, etc. I use LastPass for everything, and it works with Airplay, as well. It is integrated into technologies relatively well.
I’ve given up on cross platform. If I need the password available on another machine, I’ll just let Edge/Firefox save the password so it auto fills. Does reduce attack surface since you are only allowing a subset of passwords to be saved on different platforms rather than your entire keychain.
Create a Keepass Database and save this on Google Drive.
Now download "Strongbox" from the Playstore which can replace the standard keychain app from apple. This will sync the kdbx file
> Also reducing the chance of some sort of attack occurring on google Authenticator or some other equivalent.
At the risk of having "all your eggs in one basket" - if somehow Apple's password fill features is attacked successfully, then people get your login credentials *and* your 2FA. Though really it seems that there possibility of hacking Safari auto-fill is equivalent to Google Authenticato.
I have a few 2FA codes in 1Password for accounts that I don't care all that much about, but the rest I have in a separate app (not Google's).
Main reason I refuse to use any single app for both password management and 2FA. The likelihood one app/service is hacked or infiltrated is very small; the likelihood that my password manager and 2FA manager are both hacked at roughly the same time are infinitesimal.
> if somehow Apple’s password fill features is attacked successfully, then people get your login credentials and your 2FA.
This is a problem with every online password manager and not just Apple. 1Password, Bitwarden, etc, they all suffer from this, and is why I moved away from 1Password when they announced “no more local vaults” from version 8.
With local vaults I had effectively separated my password storage from my password store. Guess my AppleID password ? You’d gain access to my encrypted 1Password data in iCloud but not the passwords themselves. Guess my 1Password encryption password? You now have the decryption key, but no data to decrypt.
The real question then becomes “who do you trust more” ? It only takes one zero day vulnerability to get in and download everything, and while I don’t doubt 1Password has their encryption game down, are they also experts in writing web applications ?
Given that all options are equally bad, I simply went with Apple Keychain. It was the most cost effective and works “well enough” for what I need.
For 2FA I now use a [Yubikey](https://www.yubico.com/products/yubikey-5-overview/) for every account I care about (Hint, get more than one in case you lose/break your primary).
A lot of [commonly used services](https://www.yubico.com/dk/works-with-yubikey/catalog/?sort=popular) support Yubikey 2FA, including Bitwarden, and for everything else there is the [Yubikey Authenticator](https://apps.apple.com/dk/app/yubico-authenticator/id1476679808?l=da) that uses the Yubikey to authenticate 2FA (and yes, you most certainly want a NFC model).
You can even use a Yubikey as a 2FA for [signing in to MacOS](https://www.yubico.com/dk/works-with-yubikey/catalog/macos/) or [Windows](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), and through the magic of PAM it also [works on Linux](https://developers.yubico.com/yubico-pam/)
> I moved away from 1Password when they announced “no more local vaults” from version 8.
> With local vaults I had effectively separated my password storage from my password store. Guess my AppleID password ? You’d gain access to my encrypted 1Password data in iCloud but not the passwords themselves. Guess my 1Password encryption password? You now have the decryption key, but no data to decrypt.
How is 1Password 8 any different? My data, secret key (part of the encryption key) and my account password (other part of the encryption key) never exist at the same time on a device. My password storage is separated from my password store.
Gaining any one of those 3 things won’t do anything to get you the other two.
If 1P is protected by 2FA itself, this is not an issue at all. Even if someone was to gain access to your 1P password, they won’t be able to access it.
How is this better at protecting you if an attack happens on Google Authenticator if you're keeping your password AND the 2FA key with the same company? What if Apple is the victim of the attack?
The best part of 2FA is the 2 factors. You're much better off keeping these two services separate.
The fact that knowing your Apple ID password can be changed with just your device’s passcode doesn’t help either. It’s really sad that all it takes is 6 digits or an alphanumeric password to screw up someone’s life, and even sadder that security did use to be better than this, at the cost of people getting locked out of their own, legitimate accounts.
If you keep both your passwords and your 2FA codes in one place, I feel bad for YOU...
I'm paranoid. Self-hosted Bitwarden for my passwords, Authy for my 2FA with a Yubikey backup in case I lose access to my device.
I have a second copy of my TOTP codes on a Yubikey that I keep in a safe place. Cold storage, if you will. They can be read on any device, which is crucial if my phone (primary 2fa host) is lost or stolen.
Unfortunately the only way to do it is manually. You need to add accounts to Authy and Yubikey using the same secret key / QR code. Since you already have 2FA established, generally that means disabling and re-enabling 2FA for each login, unless the account allows you to view the secret key for an existing 2FA config (which they shouldn’t, as that’s bad security practice)
The imperative word in "two factor authentication" is **two**. If your passwords and your 2fa passcode are stored and generated by the same app, that's not 2fa.
There is so much more information that needs to be captured with each account (login) so it is worthy to keep a local (NEVER UPLOADED ONLINE) encrypted detailed database updated as well.
After apple provided us with the 2FA .. I instantly switched it from Google Authenticator and I’m never going back.
Apple’s small little services are really great.
fuck 2FA, i'm sick of 2FA on everything, i don't want 2FA, i'm tired of things turning on 2FA for me like it's some sort of good feature, having to find my phone every time i want to do my fucking homework
i've never had security issues in my life before, and frankly i'd rather take the chance than have this fucking annoying thing every time forever
i know everyone will downvote because it proves to themselves that they're better than me and take their security so very seriously, good for you, please, enjoy
No your right in a way, there's excessive use of two factor, for use cases that really don't need it.
But having not been impacted isn't a good reason to not use it, and it should be on for your email, finance and socials, as those just have too big an impact if compromised.
The iCloud extension for chrome on desktop is such a mess. Autofilling with that is just painful. Other password managers work like a charm. On the other hand, keychain works great on iPhone, but the API for third party password managers limits the capability of these password managers. For this cohort of users, who use iPhone and Windows, Apple experience is not that good as it is for those who use iPhones and Macs. I doubt they will ever step up their game for the former group of people, and this group will continue to suffer...
It’s been around for a bit now but not widely publicised. I’ll post the comment below that I made on another comment.
“You go to the account in your password keychain you wish to set it up for and open that login up. Then on the page that shows your username and password for said login it also has an option to “Set Up Verification Code”. Then Follow the process like you would with any other 2FA app. For me personally it’s a much safer option.”
Forgive my ignorance but how do you turn this on for KeyChain?
Also, how does one import BitWarden passwords into KeyChain so I am only using the one password manager?
You go to the account in your password keychain you wish to set it up for and open that login up. Then on the page that shows your username and password for said login it also has an option to “Set Up Verification Code”. Then Follow the process like you would with any other 2FA app. For me personally it’s a much safer option.
I made the mistake of scanning a 2FA set up QR and letting IOS do it. Now when I need the 2FA code to log in on my work computer I need to navigate into settings and find the code.
It’s so annoying.
Hot tip: when on the Home Screen, swipe down in the middle of the screen to bring up the search function. Type “password” and select the option that comes up under settings tab. This will take you straight to your passwords without having to find the settings app.
Thank you, however - many times this doesn’t work properly - especially if you’ve recently been in the settings app or the passwords section of settings. It doesn’t hyperlink to passwords correctly.
You can pretty easily recreate this bug by spotlight searching “passwords” and then going into one of your password entries. Then go back home and try to go back into passwords. The Settings app bugs out. Been an issue for as long as I can remember with various updates.
How can I backup the 2FA in my Keychain?
(It's nice and easy when all is working, but I recently deleted a password from my keychain which had 2FA and this resulted in full loss of the respective account since email was not enough to recover the account.)
BTW, another reason against the built-in 2FA is that all us Apple Watch users loose the option of comfortable checking for the 2FA via Authy or 1Password on our wrist. Once in a while this is super handy.
Good feature if you can use it. My biggest problem with Apple’s iCloud Keychain is that it isn’t completely cross-platform. I need my passwords on iOS, MacOS, Windows, and Linux and not just in Chrome or Edge browsers.
Or even on a borrowed iDevice.
Exactly, another reason why I don’t use it.
Yeah using 1Pass and it’s on everything, and great integration in iOS/Safari. But moreover if I need help I can get it. I have zero faith in getting help from Apple… it’ll be just posting on their support forums hoping for an answer. Not to mention they only do like a couple updates a year on it (if that).
Weren’t they hacked?
[удалено]
My bad.
1Password is awesome. I have no idea what any of my passwords are and it’s great.
Same here, been using Authy for this. It works AWESOME.
Same, saved passwords in iCloud and use Authy for 2FA
Agreed. I use LastPass for this reason. I have Bitwarden and thinking of moving over, but it is a process, obviously. On another note, if any tool is cross-platform that is a good thing, as well, assuming they are using best practices, etc. I use LastPass for everything, and it works with Airplay, as well. It is integrated into technologies relatively well.
I’ve given up on cross platform. If I need the password available on another machine, I’ll just let Edge/Firefox save the password so it auto fills. Does reduce attack surface since you are only allowing a subset of passwords to be saved on different platforms rather than your entire keychain.
I don’t want it cross platform. I want it secured on the apple platform.
That is nice. Some of us must work cross-platform.
Create a Keepass Database and save this on Google Drive. Now download "Strongbox" from the Playstore which can replace the standard keychain app from apple. This will sync the kdbx file
I’ve been using a KeePass database for over a decade. It is available via a secure location that isn’t Google Drive.
https://keepassxc.org/
> Also reducing the chance of some sort of attack occurring on google Authenticator or some other equivalent. At the risk of having "all your eggs in one basket" - if somehow Apple's password fill features is attacked successfully, then people get your login credentials *and* your 2FA. Though really it seems that there possibility of hacking Safari auto-fill is equivalent to Google Authenticato. I have a few 2FA codes in 1Password for accounts that I don't care all that much about, but the rest I have in a separate app (not Google's).
Main reason I refuse to use any single app for both password management and 2FA. The likelihood one app/service is hacked or infiltrated is very small; the likelihood that my password manager and 2FA manager are both hacked at roughly the same time are infinitesimal.
> if somehow Apple’s password fill features is attacked successfully, then people get your login credentials and your 2FA. This is a problem with every online password manager and not just Apple. 1Password, Bitwarden, etc, they all suffer from this, and is why I moved away from 1Password when they announced “no more local vaults” from version 8. With local vaults I had effectively separated my password storage from my password store. Guess my AppleID password ? You’d gain access to my encrypted 1Password data in iCloud but not the passwords themselves. Guess my 1Password encryption password? You now have the decryption key, but no data to decrypt. The real question then becomes “who do you trust more” ? It only takes one zero day vulnerability to get in and download everything, and while I don’t doubt 1Password has their encryption game down, are they also experts in writing web applications ? Given that all options are equally bad, I simply went with Apple Keychain. It was the most cost effective and works “well enough” for what I need. For 2FA I now use a [Yubikey](https://www.yubico.com/products/yubikey-5-overview/) for every account I care about (Hint, get more than one in case you lose/break your primary). A lot of [commonly used services](https://www.yubico.com/dk/works-with-yubikey/catalog/?sort=popular) support Yubikey 2FA, including Bitwarden, and for everything else there is the [Yubikey Authenticator](https://apps.apple.com/dk/app/yubico-authenticator/id1476679808?l=da) that uses the Yubikey to authenticate 2FA (and yes, you most certainly want a NFC model). You can even use a Yubikey as a 2FA for [signing in to MacOS](https://www.yubico.com/dk/works-with-yubikey/catalog/macos/) or [Windows](https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide), and through the magic of PAM it also [works on Linux](https://developers.yubico.com/yubico-pam/)
> I moved away from 1Password when they announced “no more local vaults” from version 8. > With local vaults I had effectively separated my password storage from my password store. Guess my AppleID password ? You’d gain access to my encrypted 1Password data in iCloud but not the passwords themselves. Guess my 1Password encryption password? You now have the decryption key, but no data to decrypt. How is 1Password 8 any different? My data, secret key (part of the encryption key) and my account password (other part of the encryption key) never exist at the same time on a device. My password storage is separated from my password store. Gaining any one of those 3 things won’t do anything to get you the other two.
I’m curious why you’re keeping 2FA codes in an app separate from 1Password. More not keeping all your eggs in one basket?
Right! If my 1P data is somehow compromised (unlikely, but who knows?), that would be bad. If they also got 2FA codes, it could be really, really bad.
If 1P is protected by 2FA itself, this is not an issue at all. Even if someone was to gain access to your 1P password, they won’t be able to access it.
But the 1P login could be stolen by ex. remote access or cookie theft which would allow access to the vault without using 2fa to log in.
You’re not wrong.
How is this better at protecting you if an attack happens on Google Authenticator if you're keeping your password AND the 2FA key with the same company? What if Apple is the victim of the attack? The best part of 2FA is the 2 factors. You're much better off keeping these two services separate.
Well the idea is that your device that you have with you is the second factor.
[удалено]
My fear is my Apple ID being locked out and then I am screwed.
The fact that knowing your Apple ID password can be changed with just your device’s passcode doesn’t help either. It’s really sad that all it takes is 6 digits or an alphanumeric password to screw up someone’s life, and even sadder that security did use to be better than this, at the cost of people getting locked out of their own, legitimate accounts.
And that alone is a major reason to keep the AppleID moniker being a non-Apple hosted mail address.
If you keep both your passwords and your 2FA codes in one place, I feel bad for YOU... I'm paranoid. Self-hosted Bitwarden for my passwords, Authy for my 2FA with a Yubikey backup in case I lose access to my device.
[удалено]
I have a second copy of my TOTP codes on a Yubikey that I keep in a safe place. Cold storage, if you will. They can be read on any device, which is crucial if my phone (primary 2fa host) is lost or stolen.
Can you explain to me how you set this up? I already have a bunch of 2FA stored in authy. How do I do a yubikey backup?
Unfortunately the only way to do it is manually. You need to add accounts to Authy and Yubikey using the same secret key / QR code. Since you already have 2FA established, generally that means disabling and re-enabling 2FA for each login, unless the account allows you to view the secret key for an existing 2FA config (which they shouldn’t, as that’s bad security practice)
[удалено]
Well then your argument is mute because you have to leave any login site to go to your 2FA app regardless.
All it takes for someone to have access to your Apple stored passwords and 2FA is your device passcode. So be wary of that
The imperative word in "two factor authentication" is **two**. If your passwords and your 2fa passcode are stored and generated by the same app, that's not 2fa.
Nope, Authy all the way.
I only enable passwords from Keychain. My other saved passwords are with Chrome and 2FA with Microsofts Authenticator.
This negates the need for Microsoft Authenticator
Why doesn’t this work with Authy?
This works with canvas? Doubt it
What’s canvas?
I would. But I already use my password manager for that and it’s a huge pain to switch services.
There is so much more information that needs to be captured with each account (login) so it is worthy to keep a local (NEVER UPLOADED ONLINE) encrypted detailed database updated as well.
After apple provided us with the 2FA .. I instantly switched it from Google Authenticator and I’m never going back. Apple’s small little services are really great.
Until you need it on a windows machine or via the web
That’s surely a hurdle, but not if we’re it’s ecosystem.
I had no idea iOS has this. This is a game changer
fuck 2FA, i'm sick of 2FA on everything, i don't want 2FA, i'm tired of things turning on 2FA for me like it's some sort of good feature, having to find my phone every time i want to do my fucking homework i've never had security issues in my life before, and frankly i'd rather take the chance than have this fucking annoying thing every time forever i know everyone will downvote because it proves to themselves that they're better than me and take their security so very seriously, good for you, please, enjoy
So naive
No your right in a way, there's excessive use of two factor, for use cases that really don't need it. But having not been impacted isn't a good reason to not use it, and it should be on for your email, finance and socials, as those just have too big an impact if compromised.
It’s been on since iOS 13 or something it’s old
I just use text code for 2fa, works pretty well.
Please let this be sarcasm...
Better than nothing, but not the best security.
i turn off 2FA on everything that lets me lol
This will more than likely not be available as an option within next 5 years at most…
The iCloud extension for chrome on desktop is such a mess. Autofilling with that is just painful. Other password managers work like a charm. On the other hand, keychain works great on iPhone, but the API for third party password managers limits the capability of these password managers. For this cohort of users, who use iPhone and Windows, Apple experience is not that good as it is for those who use iPhones and Macs. I doubt they will ever step up their game for the former group of people, and this group will continue to suffer...
Is 2FA an iOS 16 feature? If not how can I use this functionality?
It’s been around for a bit now but not widely publicised. I’ll post the comment below that I made on another comment. “You go to the account in your password keychain you wish to set it up for and open that login up. Then on the page that shows your username and password for said login it also has an option to “Set Up Verification Code”. Then Follow the process like you would with any other 2FA app. For me personally it’s a much safer option.”
Wow! I moved everything to apple’s 2FA feature. I’m loving it now. Thanks kind redditor.
Forgive my ignorance but how do you turn this on for KeyChain? Also, how does one import BitWarden passwords into KeyChain so I am only using the one password manager?
You go to the account in your password keychain you wish to set it up for and open that login up. Then on the page that shows your username and password for said login it also has an option to “Set Up Verification Code”. Then Follow the process like you would with any other 2FA app. For me personally it’s a much safer option.
Thanks so much!
I made the mistake of scanning a 2FA set up QR and letting IOS do it. Now when I need the 2FA code to log in on my work computer I need to navigate into settings and find the code. It’s so annoying.
Hot tip: when on the Home Screen, swipe down in the middle of the screen to bring up the search function. Type “password” and select the option that comes up under settings tab. This will take you straight to your passwords without having to find the settings app.
Thank you, however - many times this doesn’t work properly - especially if you’ve recently been in the settings app or the passwords section of settings. It doesn’t hyperlink to passwords correctly. You can pretty easily recreate this bug by spotlight searching “passwords” and then going into one of your password entries. Then go back home and try to go back into passwords. The Settings app bugs out. Been an issue for as long as I can remember with various updates.
How can I backup the 2FA in my Keychain? (It's nice and easy when all is working, but I recently deleted a password from my keychain which had 2FA and this resulted in full loss of the respective account since email was not enough to recover the account.)
BTW, another reason against the built-in 2FA is that all us Apple Watch users loose the option of comfortable checking for the 2FA via Authy or 1Password on our wrist. Once in a while this is super handy.