iCloud Keychain
Posted on Mar 22 - 2022
Apple password manager

It’s been a couple of months since I decided to try iCloud Keychain again. A few years ago I switched from 1Password to Apple but without success. After a few weeks, Keychain had synchronization problems between devices, I had some passwords on the Mac but not on the iPhone, and other passwords were present on the Macbook but not on the Mac and partly on the iPhone, a mess.
Also, Keychain didn’t have many of the new features present today, so I gave up on the idea and went back to 1Password.

I’ve already talked about password managers and how important they’re but today I want to focus on the features offered by Apple.

 

 

Index

Table of contents

 

 

What is

iCloud Keychain automatically stores and fills information like browser usernames and passwords, credit cards, Wi-Fi passwords, passwords to unlock external encrypted drives, and more. Everything is synchronized between the devices you approve.
Keychain fulfills the basic purpose of every password manager on the market.

 

 

Why

Let’s be clear, I love 1Password and have been a user for years. I’m a proud owner of the lifetime license for version 7 and have been a subscriber for a while to see the difference.

Unfortunately, however, time changes and with it business choices.

I’m not against deleting a native application to one based on electron, there’re so many great electron apps like Spotify, it’s impressive how on macOS Spotify is more responsive than Apple Music.

The reasons that led me to look for an alternative are three:

  • Subscription
  • Local vaults
  • Minimalism


I’m in favor of paying for software that I use and that deserves to support the people behind its development. I’m not against subscriptions but with the idea of a lifetime subscription.
I have an Apple Music subscription, but I can unsubscribe and manage my music locally or through the free version of Spotify. I have an iCloud subscription for data and photos, I can unsubscribe and build a server with Nextcloud.

Why shouldn’t this be true of 1Password?

Because being the password manager an essential element for me, I will find myself having a lifetime subscription, although there’re other alternatives. I have also seen that many of the elements I have on 1Password such as documents, notes, licenses and more have never been used.

I have a mountain of items in an unopened drawer.

Added to this are many features of 1Password that are great but that I don’t use:

  • Multiplatform app

    Great but having a Mac and an iPhone the idea of using Keychain is more tempting.

  • Undo and undelete

    Cool features to fix any mess the user makes. In my case, I’m a backup fanatic and therefore these features would be useless.

  • Automatic backups

    Did I mention I’m a backup fanatic?

  • Travel Mode

    This feature essentially removes your sensitive information from your computers and mobile devices while you’re traveling. In my case, however, never used it.

  • Sharing

    Used it for a year when I wanted to try the family version. Very interesting to be able to share all the elements with those who are part of the family. In my case, I realized that the shared elements were so few that it was not worth it.


All these features and many more are definitely worth the subscription price, but not for me.

I will miss one thing about 1Password, the Apple Watch app. Using it to read some information on the fly without having to take and unlock the iPhone. However, since it has not undergone any particular updates over the years, I asked on the forum if it will be maintained with 1Password 8, but still, no one has answered me. (uh, I received an answer 😄).

With 1Password 8 we can say goodbye to local vaults, the ones I use. Everything will pass in the cloud on the company’s servers. So I can say hello to one of 1Password’s coolest features: WLAN Server. Basically, I could choose the main device that acts as a server and synchronizes the vault with all the devices I approve, all complete with the local network. WOW!

WLAN Server setting of 1Password 7. The setting allows “Run a Wlan Server” from This Mac to Sync with iOS and Android Devices. 1password 8 is no longer available.

I can understand that this type of feature is used by a niche of people and therefore spending money to continue to develop it isn’t worth, but I would have so much appreciated the possibility to choose where to synchronize the data with iCloud, Dropbox, and others. Unfortunately, this’s also destined to disappear with version 8.

Finally, minimalism. Over the years I tried to bring this concept into my life. From the real world as clothing and objects to the virtual one like the organization of files and all the information that for me are important. As mentioned with 1Password I arrived at a variety of elements never used.

I entered the perspective that I inserted more information I would need it.

In reality, it was not the case, the only information used was access to the websites and some single passwords to unlock external disks and files.

 

 

Bitwarden

It is lawful to ask why not evaluate as a Bitwarden alternative. I wrote something about last year and am still favorable that it is a great choice for those who start using a password manager or those looking for an alternative. I love when the projects are completely open-source and above all, I could host them locally at my house, but before moving to Bitwarden I wanted to try the totality of the ecosystem provided by Apple.

 

 

Move

Password transfer was fast and almost without problems. From version 7.9.3 1Password exports the compatible CSV format for Keychain including notes. Once the CSV file is exported (the file must only contain logins and nothing else) we can simply import it.

The Icloud Keychain application is accessible from “Settings and then password”. At the bottom, there is a button to import the passwords in CVS format.

The only problem was saving the credentials of those sites that don’t require passwords but send a magic link to confirm access. On 1Password I only have the username. Unfortunately, Keychain no matters about these elements because necessarily wants a password field.

This thing leads to two problems:

  • I have to manually import the elements with only the username.

  • I have to associate these elements with a fake password otherwise Keychain doesn’t save them.


Located this obstacle everything has been imported.


It remains to be managed as:

  • Documents

  • Single passwords

  • Software licenses


I organized the documents on iCloud Drive, encrypting the sensitive ones. Individual passwords and software licenses, on the other hand, have been saved in the protected notes of the Apple application.

Apple notes application with a set of organized elements on the left: notes, backups, work, travel, recipes, secrets, projects, and private individuals. The notes that contain sensitive information are blocked through a code.

In the beginning, it may seem strange having separate this information after 1Password used to have everything in one place, but the habit is soon. In my case, I rarely log in to the notes application to recover some information, so I don’t think about it anymore.

 

 

Security

Keychain uses end-to-end encryption where the elements are encoded through two different AES-256-GCM keys. All are managed by the secure enclave by Apple. A special daemon, securityd, determines which keychain elements that can access the processes or app. The keychain access API performs calls to the daemon, which in turn performs a series of requests for authorizations for the app.

It’s important to keep in mind that the Keychain uses the same password as your device to unlock. This means that if you use a trivial pin to unlock your iPhone, It’s better not to use Keychain because if someone get your PIN, can access your iPhone and the entire Keychain without any problem. The same speech is valid on the options like Mac and MacBook.

The best strategy, in my opinion, is:

  1. Set an alphanumeric password for devices. Avoid simple passwords such as a birthday or high school bff. Can help you use a passphrase, here you can have some examples.

  2. The password to unlock your devices must be different from what you use to access your iCloud account.

  3. Never use your iCloud email to subscribe to any online site, use the hide my email feature or you can create up to three alias emails on iCloud.


A great value of Keychain is that it detects compromised passwords as much as most password managers. Hopefully, in the future, this feature is expanded and the user is not only informed if a password is compromised but even if a website that is saved has enabled two-factor authentication. A simple notification says that site x introduced the possibility of using an OTP code and invites the user to configure it.

 

 

Hey

Keychain is not perfect. In particular, there’s one thing I just don’t understand, once I saved an item I can’t longer change the link to the website.

For example:

Website: https://www.simonemargio.im
Username: simo
Password: wowSoMuchStrongPassword


Once saved in Keychain, I can’t longer edit the simonemargio.im website. WHY?

Another thing is that I would like Keychain to become a separate application both on macOS and iOS.
For iOS, you can configure a shortcuts command as a bookmark in the home, so just press the icon to open Keychain without having to go to the settings and scroll.

If you are interested here there’s the link to the quick command. Obviously, you can change the icon and the color as you prefer. The command is trivial but effective in its purpose.

Apple notes application with a set of organized elements on the left: notes, backups, work, travel, recipes, secrets, projects, and private individuals. The notes that contain sensitive information are blocked through a code.

On macOS, in my case using Alfred instead of Spotlight and I already have the shortcut to open the Keychain.

Applicazione “Alfred” macOS. All’interno della schermata di richiesta di Alfred viene inserita la parola “password”. Alfred mostra il risultato “Passowrd” che coincide con l’applicazione “Password” di macOS in impostazioni.

We will see what Apple has ready for new updates for WWDC 2022. A few months! 🥳

 

 

Next

FIDO, based on the WebAuthn web standard, started to develop an authentication mechanism without using passwords. What they want to do is eliminate the concept of password and replace it with authenticated devices and cryptographic keys. In practice, you can authenticate yourself locally without any of your internet data to a validation web server. The operation is to not memorize passwords, but the cryptographic keys that can synchronize between the devices that are monitored by the biometric block or the access code of your device.

And not only that, the White Paper goes beyond. The possibility would allow one of your existing devices (a laptop, smartphone, watch) to act as a hardware token itself and provide physical authentication via Bluetooth. In other words, this would work exactly the same way as when your Apple Watch unlocks your Mac. You don’t need further checks, and you don’t have to enter any passwords, because you have already confirmed your identity.
So when you go to access a website on your Mac, for example, check that your iPhone or Apple Watch falls within the Bluetooth range and, in this case, it would automatically access the site without you providing no username and password.
Apple is inclined towards this way of implementation, here find a video that shows how Keychain is approaching a world without passwords.

 

 

Conclusion

In conclusion, regardless of which password manager decide to entrust you, keep always a backup copy of your data in a place possibly offline, and avoid using qwerty or 123456 as a password.

 

 

Update Oct 12, 2022

After many requests, 1Password has released a new app for Apple Watch with new complications and allows for synchronizing other elements such as notes, WiFi passwords, and many other elements.

Although I no longer use their service, I consider AgileBits as one of those few companies that listen to the user base they have created. Well done! 👏

 

 

Update Mar 22, 2023, a year later 🚀

It has been exactly one year since I made the complete switch from 1Password to iCloud Keychain. Before going into the details, I would like to make a few considerations:

  • 1Password continues to be a valid alternative for those who use all its features or for those who want a lightning-fast learning curve for themselves, friends, and family.

  • My switch to Keychain is due to having restricted my devices to just a MacBook and an iPhone. Given the simplicity of this situation, paying a subscription for 1Password or relying on other managers is completely meaningless. I don’t need cross-platform support or any other feature and I can always have a backup of my passwords by exporting them as CSV.

  • The use of Keychain has led to an unlock password on iPhone and Mac with excellent entropy. I have already talked about this in the Security section and It’s a essential point to avoid situation like this.


So, how’s the experience with iCloud Keychain?
Long story short, it all boils down to discipline and habits.

Anyone who has been in the same situation as me, that of being used to using a password manager like 1Password and then drastically switching to something simpler and with fewer integrations like Keychain, well, this migration can lead to second thoughts.
As mentioned at the beginning of this post, a few years ago I already tried this migration, but due to Keychain synchronization problems with other devices, I went back to 1Password again.

And that’s where discipline comes into play. The first point was to manage and use Keychain as if it were the only service that offers the ability to store sensitive information. This concept can be applied to any situation in life when making a drastic change

It may seem silly but a change leads the human being to feel a sense of “lack”, of error in what is his routine. I don’t want to go into details, also because it’s not my field of expertise, but just reflect on some changes you’ve had in your life that you weren’t able to accept at the beginning but that you later start to appreciate.

One wonders why discipline comes first and not habit.

The answer is simple, getting used to something is more complex than developing a discipline that imposes rules. Once the rules of the discipline no longer weigh automatically from the discipline, one moves on to a habit, considering the change no longer as a change but as part of one’s routine.

Quickly returning to the topic of security, Apple introduced the Advanced Data Protection for iCloud which encrypts much information including photos, notes, drives and others end-to-end. The information saved on Keychian is already protected with this encryption but it can be a good idea to activate this feature for all other data.

However, leaving the philosophical sphere let’s go into detail on the elements that have made Keychain an essential element in everyday routine during this year.

 

 

Pro


  • Ecosystem

    Like any Apple product, Keychain is part of an ecosystem where the user only needs to access his iCloud account to have all his information at hand. Actually, to be more precise, Keychain synchronization requires not only the iCloud account but also the password of one of the devices where it has been synchronized in the past.

  • Integration

    If you have iCloud+ then Keychain syncs all logins that are made using the hide my email feature. With two clicks a random email is generated and then the credentials are saved.

  • Safari integration

    Full support for secure “auto-fill”. In the sense that Keychain offers a drop-down menu where the user can choose which of the saved credentials to use to log in.
    Therefore it is not a real auto-fill as Keychain doesn’t enter the credentials as soon as the site loads, but only shows a simple and fast drop-down menu. Furthermore, entering credentials always requires the use of Touch ID, Face ID, or the password of the device.

    So, even if you should never do it, you leave your device unattended and unlocked, authentication will always be required to access all passwords.

  • Synchronization

    As mentioned, I had some problems in the past but now I have to change my mind, the synchronization of any change that is made is instantaneous.

  • Apple style

    Keychain was designed as a password manager but in pure Apple style, i.e. the user completely forgets that it exists. Keychain is built in such a way that it requires no configuration, no applications to download, no update requests, good compatibility with older generation devices, and above all it doesn’t do what it’s supposed to do but it does well what it’s supposed to do.

  • Sharing

    It’s certainly behind the sharing offered by other providers, but Apple allows you to share any saved credentials with AirDrop.

    The only negative point is that sharing creates a copy of the shared object and not a link. So if I share my Amazon account password, if I change the password in the future, the person I shared the Amazon account with will still have the old password.

    In reality, it’s also right that it works like this, but if you are used to using vaults on 1Password, you realize that Keychain needs a similar functionality.

  • Much more

    Keychain is a product that not only manages passwords for online accounts but saves other information such as Wi-fi passwords, credit cards, certificates, and more.

  • Note

    In addition to being able to manage two-factor authentication, you can add any note to the chosen credentials. For example, information such as the account name, the associated email for services that require a nickname to be able to access, and any other information can be saved.

    As a tip avoid saving 2FA seeds or recovery codes, better save this information somewhere else outside of Keychain.

  • 2FA

    An interesting feature is the ability to add the 2FA seed by simply right-clicking, or on mobile by holding down, the QR code to immediately match it to any previously saved credential.

  • Options

    Finally Keychain allows the user to use the suggested password, modify the suggested password, use the password chosen by the user, or create a password without any special characters but just as secure.

    These methods, therefore, allow you to adapt to various services that require specific criteria to register.

 

 

Con


  • Backup

    The only way to be able to export all the passwords saved in Keychain, up to now, is to have a device with macOS.

    This means that those who want to maintain a backup strategy for this information have two options: buy a product with macOS or use a virtual machine to be able to export this information. The former is expensive and the latter is not properly legal.

    I know that Keychain also supports Windows but from what I understand exporting is not an integrated feature but you have to rely on third-party software, which I absolutely advise against especially when it comes to close source software where you can’t know how ours are processed more valuable information.

  • Passwords only

    Although wifi credentials, certificates, and other elements are managed, Keychain offers user interaction only with website passwords. There is no way to enter other information such as software licenses, documents, bank information, identity, server access, documents such as identity cards, driving license, and much more in Keychain.

  • Duplicate

    I have sometimes had to change the email associated with a service and to explain this problem let’s use an example. I have only one credential saved in Keychain of the Apple site:

    Website: https://www.simonemargio.im
    Username: simone@margio.com
    Password: wowSoMuchStrongPassword
    


    Suppose we want to change the email.

    So, open Keychain, find the element I need and change the email from simone@margio com to kawaii.symon@wow com. Once the change has been saved, I should have only an element with the changed email instead I find two. The first is:

    Website: https://www.simonemargio.im
    Username: simone@margio.com
    Password: wowSoMuchStrongPassword
    


    The one with the old email and the second one is the one with the new email:

    Website: https://www.simonemargio.im
    Username: kawaii.symon@wow.com
    Password: wowSoMuchStrongPassword
    


    Instead of a single element with the updated email, I find two, why?

    Mh, idk, in the end I have to delete the old element.

  • Password history

    There is no password history. So in case the user changes the password of a service via Keychain, the new password will overwrite the old one. And if for some reason, the service doesn’t accept the new password, since the user will no longer be able to access the old one, they will find theirselves in a big problem.

  • Secure notes

    Keychain offers the possibility to create secure notes on macOS but these are only synchronized between devices with macOS itself. So if the user decides to save a software license using the notes on Keychain, they will be able to access the notes only from macOS and not from iOS, iPadOS, etc.

    Precisely for this reason, most users directly use the Apple Notes application which synchronizes on each device.

  • 2FA

    I’ve sometimes configured the 2FA code but the code I get right after the configuration doesn’t work. You have to wait for the code to expire and another one to be generated for the website to recognize the correctness of the code.

  • Passkeys

    Passkeys cannot be exported or saved in any way to keep them as a backup. A few weeks ago a user on Mastodon asked me why the user should export passkeys if they are synchronized between all devices.

    The answer is simple: portability, availability, and security.

  1. Portability: not being able to export the passkeys, the user remains relegated to the Apple ecosystem. If you want to change password management software in the future, you would have to log in to each website and create a new passkey again.

    If instead, we give the possibility of being able to export the passkeys, the user would only have to load them in the new password manager.



  1. Availability: not all websites will necessarily allow the user to save more than one passkey. This means that if the user has a passkey on an Apple device then they will not be able to log in with their passkey on an Android device or share it on non-Apple devices.

    Having the ability to export the private key, the user can use a single key even on multiple devices to access his website without problems.

  2. Safety: here safety is an extreme case. Giving the possibility to export passkeys may be more counterproductive from a security point of view, but there’re just as many users who know how to manage this sensitive information, and exporting would guarantee them the possibility of creating backup and recovery strategies.

  • Prompt

    On some applications and websites Keychain doesn’t show the prompt to log in even though the credentials have been saved correctly.

    An example is my hosting manager, when 2FA is requested Safari shows the prompt but instead of copying the 2FA code it copies the password. But I think this is more of a “website” issue than Safari or Keychain.

  • URL

    URLs still cannot be changed after saving a login.

  • Login

    The URL problem creates this other problem, not being able to change the URL, the user may find himself in situations where the credentials are duplicated.

    For example, if I use Amazon.ca but I also shop with the same account on Amazon.com, Keychain will not merge this information so that I have only one username and password for Amazon.ca and Amazon.com but instead you will have two distinct items that have the same information, except for the link.

 

 

Changes

The only changes I’ve made this year are:

  • New folder management for information such as licenses, individual passwords, etc.
    The arrangement takes as an example all the elements that 1Password allows you to save, furthermore, all the subfolders have been eliminated to make it easier to search for information via the notes bar.

    Here is the old configuration, instead below the new one.

    Apple’s “Note” application. The ordering of the folders is defined as follows: notes, credit card, crypto, document, device, discounts, identity, bank, wireless, work, personal, recipes, servers, Software License, and Travel. The notes that contain sensitive information are blocked with a code.

  • Export all passwords every month and managed them by KeePassXC. In turn, the KeePass db is backed up on multiple local and network disks.

 

 

Conclusions

As the conclusions made last year, using any* password manager is better than not using it at all.

The transition from 1Password to Keychain, as you can see, is not painless and you have to give up many things. My advice is to consider whether your password manager subscription is the right subscription. Right in the sense that you use most of the features that the manager itself offers.
As already mentioned at the beginning of this post, 1Password offers a fair price for what it offers but in my case all those features were not needed.

Again, for those looking for alternatives, in addition to 1Password Bitwarden is also a great choice.
Always protect your most precious information.


*With the exception of LastPass 😅

Prev
Next