iOS 7 preview: iCloud Keychain aims to make security more convenient

iCloud Keychain promises to generate, store, sync, and populate all your passwords across all your iOS 7 devices, and OS X Mavericks on the Mac.

iOS 7 adds an incredibly important set of new features to Apple's Safari web browser - the ability to generate, store, and fill passwords. Sure, there have been third-party apps that have done this, and more, for years. But when the functionality is baked into the OS, even when it's only the basest level of functionality, there's a greater chance that more people will use it. And more people really need to use a password manager, and the unique passwords they enable. Yes, it's security week on Talk Mobile, so there's no better time to talk about mobile security, and passwords.

Here's what Apple has to say about iCloud Keychain:

iCloud Keychain. Lots of things you do on the web require passwords. Now iCloud can remember your account names, passwords, and credit card numbers for you. And Safari will enter them automatically whenever you need to sign in to a site or shop online. It works on all your approved iOS 7 devices and Mac computers running OS X Mavericks. And with 256-bit AES encryption, it’s highly secure.

Password Generator. Every time you create an account, you can have Safari generate a unique, hard‑to‑guess password. And remember it for you.

Apple only mentioned iCloud Keychain in passing during WWDC 2013's iOS segment; they gave it much more attention during the OS X Mavericks segment. However, they did announce that it'll work on Safari on iPhone, iPod touch, and iPad just like it does on the Mac.

iOS 7 should provide the same functionality, namely:

  • The ability to generate strong, unique passwords, ensuring no two websites or services are the same.
  • The ability to store the passwords so you don't have to remember them.
  • The ability to sync the passwords to your other iOS devices, or to your Macs.
  • The ability to autofill your passwords so you don't have to type them in.
  • The ability to store and fill credit card information.

It's almost impossible for we mere humans to create truly random passwords - the mix of numbers, letters, and symbols that create something hard to guess and not subject to simple dictionary attacks. Having the operating system create, if not truly random, then pseudo-random-enough passwords ensures something that's not predictable or easily guessed.

Since trying to remember passwords leads to short, oft-repeated passwords, storing them securely is a must as well, as is syncing them to other devices. Unlike 3rd-party password apps which can support non-Apple platforms, however, iCloud Keychain only syncs to Apple devices. If that's all you use, that's fine. If not, you may not find it as useful. However...

On iOS, no third-party apps can integrate with Safari, like they can via extensions on the Mac. That means third-party password apps have to build in their own browsers. For some people, that's not an issue. For others, Safari is the browser they want to use. If that's the case, then even if you're multi-platform, iCloud Keychain could be an important secondary password management tool. If third-party apps are allowed to or figure out how to sync with iCloud Keychain as well, it could be an excellent secondary tool.

Likewise with storing credit card information. Given that entering passwords and payment information on mobile in general, and the iPhone and iPad in specific can range from annoying to infuriating, autofill is incredibly convenient.

To that point, Apple hasn't said yet whether or not iCloud Keychain will work beyond Safari. The presentation bundled it into Safari, but will it work in the Home screen container? Will it work in UIWebView inside other apps? Will it one day be extended to work in UIKit for apps in general, and if so, how do you prevent abuse? Autofilling a Gmail or Netflix login into an app via iCloud Keychain would be more convenient than cutting and pasting in a strong, unique password, after all, just like the app.

And what about keeping all that data safe? With third-party password apps, you typically need to enter a passcode or master password before it "unlocks" the rest of your passwords. Apple hasn't really shown off what protects your passwords in the iCloud Keychain system yet. Is there a Passcode or master password? Does it use the device passcode or is there a separate way to unlock iCloud Keychain. If not, how can you lend someone your device, when they could log in to any of your services or use any of your payment systems? Or if someone gets access to your iPhone, iPod touch, or iPad, what stops them from getting access to all your credentials?

Perhaps the oft-rumored thumbprint reader will play a roll in this, and will add a second factor to the defensive depth of the system. Perhaps not. Right now, the user experience part of the system looks fantastic, but a lot about the security remains under NDA, and to be seen once it's in the wild and getting hammered on.

That'll happen when it ships as part of iOS 7 this fall. In the meantime, let me know - do you currently plan to use it?