For iOS 17
Intro
If you’re like most people, you likely have many online accounts with usernames and passwords. In this guide, I will describe how iCloud Keychain, the password manager built into iOS, iPadOS, and other Apple platforms, can help you create, use, and manage strong credentials for your online accounts.
While iCloud Keychain is also available on macOS, as well as Chromium-based browsers on other operating systems, this guide will focus primarily on how to use it with iOS and iPadOS, in an effort to limit information overload. However, once you become familiar with iCloud Keychain on iOS and iPadOS, you’ll likely find that it works similarly on other platforms.
Why use a password manager?
With the proliferation and ubiquity of online accounts accessed with usernames and passwords, you may find the process of coming up with and remembering unique ones for each account fatiguing. In an effort to make passwords easier to create and remember, it may be tempting to base them on common words in the dictionary, musical artists, sports teams, birthdays, pets, and references to other things of significance in your life, and use the same or similar passwords for different accounts.
However, while passwords created with such techniques may be easy to create and remember, they can be easily guessed by password cracking bots that are designed to quickly try numerous common or previously exposed passwords on websites until a desired account is accessed. Furthermore, using the same password across multiple accounts makes you additionally vulnerable, as if the password for one account is compromised, threat actors could then successfully try that password for another account of yours, further exposing your identity.
For this reason, passwords should ideally comprise a string of randomly generated letters, numbers, and symbols, things that many humans are not particularly good at creating and remembering, but what password managers like iCloud Keychain excel at. When creating a new account or changing the password to an existing one, iCloud Keychain should offer to create a strong password that can then be autofilled on all devices signed into your Apple ID.
For apps and websites that support it, you can use a passkey, a token that is stored and synced using iCloud Keychain paired with a separate token on the server, in leu of a password. While this method of authentication is relatively new and supported by a limited number of apps and websites, the requirement of two tokens, one possessed by you and the other possessed by the server you’re logging into, to access the account makes passkeys more difficult to compromise than passwords. More detailed information on how this works in practice is given later in this guide.
Setup and management
Setting up iCloud Keychain involves simply going to Settings > [your name] > iCloud > Passwords & Keychain, and toggling the “Sync this iPhone/iPad” switch on. Make sure all the devices you want to be able to store, use, and sync credentials are signed into the same Apple ID and have this setting enabled. If you want iCloud Keychain to be able to save and sync credit card information for autofill on your signed in devices, go to Settings > Safari > AutoFill, and make sure the “Credit cards” switch is on.
Saved accounts in iCloud Keychain can be viewed and edited in Settings > Passwords. After authenticating with Face ID, Touch ID, or your device passcode, you’ll be presented with a list of your saved accounts, a search field for narrowing down this list, and options to, among other things, manually add accounts, create shared groups for sharing and syncing credentials with others, and view, recover and clear recently deleted accounts for thirty days after they were deleted.
Note: If you’re using Stolen Device Protection, your device passcode cannot be used to access saved accounts, requiring either Face ID or Touch ID instead.
To view or edit a saved account, either triple-tap (or double-tap and hold) it to access a context menu, or double-tap it to open the account. Double-tapping the Edit button on this screen allows you to view and manually change the username and password saved, add a more descriptive title that the account will be identified by in the list, or add additional notes for that account.
Saved credit cards can be viewed and edited by going to Settings > Safari > AutoFill, and double-tapping the Saved credit cards button. After authenticating, you’ll be presented a list of your saved credit cards. Double-tap a card to view or edit the information saved for it, and double-tap Done to save and sync your changes.
Creating and using strong passwords
To create a strong password for an app or website, navigate to the page to create or change the password, and double-tap the password field. A “Use strong password” option should appear toward the bottom of your screen in place of the keyboard; double-tap it to accept the password and fill it into the field. It will then be saved once iCloud Keychain has sensed that the app or website accepted it as valid, which typically happens when you continue to the next page of the account creation flow.
In the future, whenever you are signing into that app or website, you should be able to double-tap the username or password field, and be given the option to use the saved password. Double-tap the “Use [username]” option, and authenticate with either Face ID, Touch ID, or your device passcode when prompted. To fill a different set of credentials than the one that’s being suggested for that website, double-tap the “Other passwords” option, authenticate when prompted, and double-tap the account you want to fill in the list.
Additionally, strong passwords can be generated manually by double-tapping the “Add” button in Passwords Settings and choosing “new password” from the resulting menu. In the sheet that appears, enter a name that the account will be identified by in the list, as well as the account’s username. You can view the generated password in the password field, or double-tap Done to save it and dismiss the sheet.
If no saved password is suggested when double-tapping a password field, double-tap the “Passwords” button above the keyboard, authenticate when prompted, then double-tap the account you want to log into. This may happen if you, for example, create an account on a website in Safari on your Mac, and then log into that service’s mobile app on your iPhone or iPad for the first time.
Using verification codes
In addition to usernames and passwords, it is generally advised to use a second factor of authentication, most commonly a code sent via SMS text message that you must enter in order to access the account. However, while SMS-based two-factor authentication is common, it is not ideal, as threat actors have been known to deceive employees of wireless carriers into giving them access to users’ phone numbers, allowing them to receive verification codes or initiate password resets for services that allow users to use SMS to verify their identity. As a more secure alternative, supported apps and websites allow password managers like iCloud Keychain to generate rotating one-time codes that can be used in addition to a password to access accounts.
Setting up this method of two-factor authentication involves navigating to the page of the app or website where additional authentication methods can be configured and choosing to use an authenticator app; note that the precise wording of this option varies. Triple-tap (or double-tap and hold) the provided image and choose “Set up verification code” from the context menu. You will then be prompted to select the account from the accounts saved in iCloud Keychain, and then verify that setup was successful by double-tapping a field provided by the app or website and choosing to insert the test code. If the code is accepted, setup was successful, and your signed in devices should offer to autofill the code in the future whenever it is requested.
Alternatively, this feature can be set up manually by supplying a key obtained from the app or website into iCloud Keychain. To do this:
- Rather than setting up with the image provided, select to set up manually, the precise wording of this option varies.
- Copy the key displayed and open the account in Passwords Settings.
- Double-tap “Setup verification code,” and then “enter setup key” in the resulting sheet.
- Paste the key into the provided field and double-tap OK.
- Copy the code generated by iCloud Keychain and paste it into the field provided by the app or website; note that you’ll have thirty seconds to supply this code. If the code is accepted, setup was successful, and your signed in devices should offer to autofill the code in the future whenever it is requested.
If you’re signing into an account from an app or website you haven’t previously used, that account’s verification code may not be automatically suggested when it is required. For this reason, when double-tapping the “Passwords” button and choosing the credentials to fill, you may want to first triple-tap (or double-tap and hold) the account and choose “Copy verification code” from the context menu before double-tapping the account to fill the credentials. Then, if the verification code isn’t automatically suggested, you can simply paste it into the field provided by the app or website, instead of needing to detour to Passwords Settings and copy the code from there.
Creating and using passkeys
As mentioned earlier, a passkey is a pairing of two cryptographic tokens, one on your device, known as the private key, and the other on the server you’re logging into, known as the public key, that can be used instead of a password to access an account. On supported apps and websites, you’ll be given the option to set up a passkey, which typically involves double-tapping a button on the app or website to initiate the process, at which point you’ll be prompted to authenticate with Face ID, Touch ID, or your device passcode; note that your device passcode or biometric data is not shared with the server and is only used to verify your identity to your device. Once authenticated, iCloud Keychain will save the private key and sync it to your other Apple devices.
To sign into an app or website with a passkey, initiate the sign in process and authenticate when prompted. Signing into the app or website on a device that does not have the private key saved typically involves providing your username, scanning a QR code displayed on the device with your iPhone, and then authenticating with Face ID, Touch ID, or your passcode to supply it to the server. As private keys saved in iCloud Keychain do not sync to non-Apple devices, apps and websites that offer this functionality typically allow you to create separate passkeys for each ecosystem you use the account on.
Conclusion
While the concepts of complex, randomly generated passwords, rotating verification codes, and cryptographic key pairings may at first sound intimidating, you now hopefully have an idea of how these technologies work, as well as how to use them if you wish to increase the security of your online accounts. More information is available in your iPhone or iPad’s respective user guide, Apple Support, and the AppleVis Forum, and if you have any questions or believe any of the information in this guide is inaccurate, sound off in the comments.
Comments
Two Factor Authentication Within and Outside The Orchard
Great article.
My challenge is and always has been working out how to manage accounts that you have signed into either through Apple or on my Windows desktop. I think I now have three potential authentication apps, microsoft, Goole and Apple. So a major clean up is required to reset the 200+ user IDs I currently have! Anyone else have the same problem and what is the general view for how you go about sorting this out?
Mark
Syncing iCloud passowrds with pc seams inaccessible
When I try to use iCloud passwords extension with microsoft edge for example, it disables edge's native auto-fill function and doesn't ask whether I want to save passwords to new websites. At least it seems so with NVDA.