For macOS Sonoma
Intro
If you’re like most people, you likely have many online accounts with usernames and passwords. In this guide, I will describe how iCloud Keychain, the password manager built into macOS and other Apple platforms, can help you create, use, and manage strong credentials for your online accounts.
While iCloud Keychain is also available on iOS and iPadOS, as well as Chromium-based browsers, this guide will focus primarily on how to use it with Safari on macOS, in an effort to limit information overload. However, once you become familiar with iCloud Keychain on macOS, you’ll likely find that it works similarly on other platforms.
Why use a password manager?
With the proliferation and ubiquity of online accounts accessed with usernames and passwords, you may find the process of coming up with and remembering unique ones for each account fatiguing. In an effort to make passwords easier to create and remember, it may be tempting to base them on common words in the dictionary, musical artists, sports teams, birthdays, pets, and references to other things of significance in your life, and use the same or similar passwords for different accounts.
However, while passwords created with such techniques may be easy to create and remember, they can be easily guessed by password cracking bots that are designed to quickly try numerous common or previously exposed passwords on websites until a desired account is accessed. Furthermore, using the same password across multiple accounts makes you additionally vulnerable, as if the password for one account is compromised, threat actors could then successfully try that password for another account of yours, further exposing your identity.
For this reason, passwords should ideally comprise a string of randomly generated letters, numbers, and symbols, things that many humans are not particularly good at creating and remembering, but what password managers like iCloud Keychain excel at. When creating a new account or changing the password to an existing one in Safari, iCloud Keychain should offer to create a strong password that can then be autofilled on your Mac, as well as other devices signed into your Apple ID.
For apps and websites that support it, you can use a passkey, a token that is stored and synced using iCloud Keychain paired with a separate token on the server, in leu of a password. While this method of authentication is relatively new and supported by a limited number of apps and websites, the requirement of two tokens, one possessed by you and the other possessed by the server you’re logging into, to access the account makes passkeys more difficult to compromise than passwords. More detailed information on how this works in practice is given later in this guide.
Setup and management
Setting up iCloud Keychain involves simply going to System Settings (Settings on iOS and iPadOS) > [your name] > iCloud > Passwords & Keychain, and toggling the “Sync this Mac” switch on. Make sure all the devices you want to be able to store, use, and sync credentials are signed into the same Apple ID and have this setting enabled.
In Safari, you may also wish to make sure autofilling of usernames and passwords is enabled. To do this, choose Safari > Settings, (or press Command-Comma) click the Autofill button in the toolbar, and make sure the “Usernames and passwords” checkbox is selected. If you want iCloud Keychain to be able to save and sync credit card information for autofill on your signed in devices, make sure the “Credit cards” checkbox in the Autofill pane of Safari Settings is selected.
If you want to use iCloud Keychain with a Chromium-based browser, like Google Chrome or Microsoft Edge, install the iCloud Passwords browser extension from the Chrome Web Store. While I am aware of the existence of this extension, I do not have sufficient experience with it to comment on its usability, quality, or accessibility.
Saved accounts in iCloud Keychain can be viewed and edited by going either to System Settings > Passwords, or from within Safari by choosing Safari > Settings (or pressing Command-Comma) and clicking the Passwords button in the toolbar. After authenticating with Touch ID or your login password, you’ll be presented with a scroll area containing a list of your saved accounts, a search field for narrowing down this list, and options to, among other things, manually add accounts, create shared groups for sharing and syncing credentials with others, and view, recover and clear recently deleted accounts for thirty days after they were deleted.
To view or edit a saved account, navigate to it in the list with either the up and down arrow keys or first-letter navigation, and then either choose an option from the context menu (accessed by pressing VO-Shift-M) or press Return to open the account. Clicking the Edit button in this dialog allows you to view and manually change the username and password saved, add a more descriptive title that the account will be identified by in the list, or add additional notes for that account.
Saved credit cards can be viewed and edited from within Safari by choosing Safari > Settings (or pressing Command-Comma) clicking the Autofill button in the toolbar, and clicking the Edit credit cards button. After authenticating with either Touch ID or your login password, you’ll be presented a table of your saved credit cards, which you can navigate with the up and down arrow keys or first-letter navigation. Focus on a card and press VO-Right-Arrow to view and edit the information saved for it, then click Done to save and sync your changes.
Creating and using strong passwords
To create a strong password for a website in Safari, navigate to the page on that website to create or change the password, and focus on the password field. A popover should then appear saying that a strong password has been created; click the “Use strong password” button to accept the password and fill it into the field. The password will then be saved once Safari has sensed that the website accepted it as valid, which typically happens when you click a button to continue to the next page of the account creation flow.
Occasionally, VoiceOver may lose focus after clicking the “Use strong password” button. If this happens, return to the field and try again. If the problem is persistent for you, click the “Other options” button in the popover, select “copy strong password” from the resulting menu, and then select “choose my own password” from the same menu. The popover should then be dismissed, at which point you can choose Edit > Paste (or press Command-V) to paste the strong password into the now empty password field on the website.
In the future, whenever you are signing into that website, you should be able to focus on the username or password field, and rest your finger on the Touch ID sensor to autofill the credentials. To fill a different set of credentials than the one that’s being suggested for that website, focus on the username or password field, press the Down-Arrow key to select the “Other passwords” option, and press Return. After authenticating with either Touch ID or your login password, focus on the account you want to fill in the list, and press Return to fill the credentials.
To create a strong password when not in Safari, click the “Add” popup button in Passwords Settings or the Passwords pane of Safari Settings, and choose “new password” from the resulting menu. In the dialog that appears, enter the account's username, click the “Create strong password” button, and then click Save.
To fill an existing password when not in Safari, focus on the password field, choose Edit > Autofill > Password, and authenticate with either Touch ID or your login password. In the resulting dialog, click the account you want to log into, interact with the list that appears, and click either the username or password to fill the information and dismiss the dialog.
Using verification codes
In addition to usernames and passwords, it is generally advised to use a second factor of authentication, most commonly a code sent via SMS text message that you must enter in order to access the account. However, while SMS-based two-factor authentication is common, it is not ideal, as threat actors have been known to deceive employees of wireless carriers into giving them access to users’ phone numbers, allowing them to receive verification codes or initiate password resets for services that allow users to use SMS to verify their identity. As a more secure alternative, supported apps and websites allow password managers like iCloud Keychain to generate rotating one-time codes that can be used in addition to a password to access accounts.
Setting up this method of two-factor authentication involves navigating to the page of the website where additional authentication methods can be configured and choosing to use an authenticator app; note that the precise wording of this option varies. Focus on the provided image and choose “Set up verification code” from the context menu (accessed by pressing VO-Shift-M). You will then be prompted to select the account from the accounts saved in iCloud Keychain, and then verify that setup was successful by focusing on a field provided by the website and resting your finger on the Touch ID sensor to fill in the test code. If the code is accepted, setup was successful, and your signed in devices should offer to autofill the code in the future whenever it is requested.
Alternatively, this feature can be set up manually by supplying a key obtained from the website into iCloud Keychain. To do this:
- Rather than setting up with the image provided on the website, select to set up manually, the precise wording of this option varies.
- Copy the key displayed and open the account in either System Settings > Passwords or the Passwords pane of Safari Settings.
- Click “Verification code set up,” paste the key from the website into the provided field, and click “use setup key.”
- Copy the code generated by iCloud Keychain and paste it into the field provided by the website; note that you’ll have thirty seconds to supply this code. If the code is accepted, setup was successful, and your signed in devices should offer to autofill the code in the future whenever it is requested.
Creating and using passkeys
As mentioned earlier, a passkey is a pairing of two cryptographic tokens, one on your device, known as the private key, and the other on the server you’re logging into, known as the public key, that can be used instead of a password to access an account. On supported apps and websites, you’ll be given the option to set up a passkey, which typically involves clicking a button on the app or website to initiate the process, at which point you’ll be prompted to authenticate with Touch ID or your login password; note that your login password or fingerprint is not shared with the server and is only used to verify your identity to your Mac. Once authenticated, iCloud Keychain will save the private key and sync it to your other Apple devices.
To sign into an app or website with a passkey, initiate the sign in process and authenticate with Touch ID or your login password when prompted. Signing into the app or website on a device that does not have the private key saved typically involves providing your username, scanning a QR code displayed on the device with your iPhone, and then authenticating with Face ID, Touch ID, or your passcode to supply it to the server. As private keys saved in iCloud Keychain do not sync to non-Apple devices, apps and websites that offer this functionality typically allow you to create separate passkeys for each ecosystem you use the account on.
Conclusion
While the concepts of complex, randomly generated passwords, rotating verification codes, and cryptographic key pairings may at first sound intimidating, you now hopefully have an idea of how these technologies work, as well as how to use them if you wish to increase the security of your online accounts. More information is available in your Mac’s built in help, Apple Support, and the AppleVis Forum, and if you have any questions or believe any of the information in this guide is inaccurate, sound off in the comments.
Comments
Wonderfully written
Hi Tyler, the article is wonderfully written. Thank you so much for such an informative post.
Now Using Strongbox
It integrates with Safari using the same autofill behaviour as in Keychain using Apple's provided API, so the experience is, like Keychain, very luscious.
As far as I can tell, the process of scanning a QR code for performing cross-device passkey authentication isn't accessible. There's no way to get a key for manual entry on your phone. This strikes me as a shocking injustice; it effectively locks us into our respective platforms.
For me, the accounts I use…
For me, the accounts I use passkeys with, like Google, still allow me to use my password to login instead. This way, if I wanted, for example, to log into my Google account on Windows, I could authenticate with my email address and password, then create a separate passkey for that platform.
I think in the future, the goal of the WebAuthn standard is to replace passwords entirely, and when that becomes more wide spread, I definitely think an alternative to a QR code should be developed. I'm not a security expert, but I envision this possibly as a link sent to a user's email address that they can open on a computer or mobile device with the private key stored, in order to authenticate a nearby device.