iCloud Keychain and why it's not going to improve security habits... yet
iCloud Keychain, which ships as part of iOS 7 and OS X Mavericks, is Apple's attempt to help mainstream iPhone, iPad, and Mac owner get better at managing and protecting their passwords and credit cards, and with minimal inconvenience. With a random password generation, autofill, and iCloud sync, it holds a lot of promise. Unfortunately, it may not be enough for everyone, at least not yet. Here's why...
Obviously, iCloud Keychain is completely tied into the Apple ecosystem. Unfortunately, this is exactly what will cause it to break down for many people, and almost immediately. Let's start with the random password generator. In theory, when you need to create a new password, you simply let iCloud Keychain pick a secure, strong one for you and you get on about your business. But lets say you do that in Safari on your iPhone, and then go to Chrome or Firefox on your Mac, what happens? If you go to Windows at work? As you've probably guessed, nothing. You'll have to jump back to your iPhone and retrieved the password iCloud Keychain generated for you, which is cumbersome to say the least.
For Mac users that are strictly dedicated to Safari, the password generator feature of iCloud Keychain may be a perfectly acceptable, and free option. For people that use other browsers, or other platforms, it's going to be a non-starter.
Same with the autofill. Safari can remember your existing passwords as you enter them, but once you've saved them to iCloud Keychain, they're still only usable in Safari. You can't use them with Web.app (the framework that pins websites and web apps to your Home screen), or with embedded web views in other apps.
Some websites also prevent passwords from being remembered - a security feature intended to prevent people from having their passwords saved on public machines. That can sometimes be overcome by toggling "Allow AutoFill even for websites that request passwords not be saved", sometimes not.
Consistency is a feature. For iCloud Keychain to really take off, and really help more people be more secure, it has to be almost everywhere and work almost all the time. Right now, that's simply not the case. Right now, iCloud Keychain is only in Safari, and only works most of the time there.
For some, that might be enough. For many, I suspect, it'll be a show stopper, and they'll stick to third-party apps like 1Password or Lastpass, or worse, stick to the same, simple, insecure old password everywhere.
I'll be doing the former. 1Password doesn't get the same Apple-level access, which would be ideal, but it works 100% of the time on 100% of the platforms I use and that's more valuable to me than anything iCloud Keychain currently has to offer.
At least on the Mac Apple has the standalone Keychain app that other apps can tie into for password storage. Maybe some form of Keychain app or system-level service on iOS could provide similar functionality? After all, if there's one thing that benefits people almost as much as security, it's ubiquity.
Are you using iCloud Keychain? If so, let me know how it's working for you. If not, let me know why not!