iOS 7 preview: iCloud Keychain aims to make security more convenient

iCloud Keychain promises to generate, store, sync, and populate all your passwords across all your iOS 7 devices, and OS X Mavericks on the Mac.

iOS 7 adds an incredibly important set of new features to Apple's Safari web browser - the ability to generate, store, and fill passwords. Sure, there have been third-party apps that have done this, and more, for years. But when the functionality is baked into the OS, even when it's only the basest level of functionality, there's a greater chance that more people will use it. And more people really need to use a password manager, and the unique passwords they enable. Yes, it's security week on Talk Mobile, so there's no better time to talk about mobile security, and passwords.

Here's what Apple (opens in new tab) has to say about iCloud Keychain:

iCloud Keychain. Lots of things you do on the web require passwords. Now iCloud can remember your account names, passwords, and credit card numbers for you. And Safari will enter them automatically whenever you need to sign in to a site or shop online. It works on all your approved iOS 7 devices and Mac computers running OS X Mavericks. And with 256-bit AES encryption, it’s highly secure.Password Generator. Every time you create an account, you can have Safari generate a unique, hard‑to‑guess password. And remember it for you.

Apple only mentioned iCloud Keychain in passing during WWDC 2013's iOS segment; they gave it much more attention during the OS X Mavericks segment. However, they did announce that it'll work on Safari on iPhone, iPod touch, and iPad just like it does on the Mac.

  • OS X Mavericks preview: iCloud Keychain promises relief from password hell

iOS 7 should provide the same functionality, namely:

  • The ability to generate strong, unique passwords, ensuring no two websites or services are the same.
  • The ability to store the passwords so you don't have to remember them.
  • The ability to sync the passwords to your other iOS devices, or to your Macs.
  • The ability to autofill your passwords so you don't have to type them in.
  • The ability to store and fill credit card information.

It's almost impossible for we mere humans to create truly random passwords - the mix of numbers, letters, and symbols that create something hard to guess and not subject to simple dictionary attacks. Having the operating system create, if not truly random, then pseudo-random-enough passwords ensures something that's not predictable or easily guessed.

Since trying to remember passwords leads to short, oft-repeated passwords, storing them securely is a must as well, as is syncing them to other devices. Unlike 3rd-party password apps which can support non-Apple platforms, however, iCloud Keychain only syncs to Apple devices. If that's all you use, that's fine. If not, you may not find it as useful. However...

On iOS, no third-party apps can integrate with Safari, like they can via extensions on the Mac. That means third-party password apps have to build in their own browsers. For some people, that's not an issue. For others, Safari is the browser they want to use. If that's the case, then even if you're multi-platform, iCloud Keychain could be an important secondary password management tool. If third-party apps are allowed to or figure out how to sync with iCloud Keychain as well, it could be an excellent secondary tool.

Likewise with storing credit card information. Given that entering passwords and payment information on mobile in general, and the iPhone and iPad in specific can range from annoying to infuriating, autofill is incredibly convenient.

To that point, Apple hasn't said yet whether or not iCloud Keychain will work beyond Safari. The presentation bundled it into Safari, but will it work in the Home screen container? Will it work in UIWebView inside other apps? Will it one day be extended to work in UIKit for apps in general, and if so, how do you prevent abuse? Autofilling a Gmail or Netflix login into an app via iCloud Keychain would be more convenient than cutting and pasting in a strong, unique password, after all, just like the app.

And what about keeping all that data safe? With third-party password apps, you typically need to enter a passcode or master password before it "unlocks" the rest of your passwords. Apple hasn't really shown off what protects your passwords in the iCloud Keychain system yet. Is there a Passcode or master password? Does it use the device passcode or is there a separate way to unlock iCloud Keychain. If not, how can you lend someone your device, when they could log in to any of your services or use any of your payment systems? Or if someone gets access to your iPhone, iPod touch, or iPad, what stops them from getting access to all your credentials?

Perhaps the oft-rumored thumbprint reader will play a roll in this, and will add a second factor to the defensive depth of the system. Perhaps not. Right now, the user experience part of the system looks fantastic, but a lot about the security remains under NDA, and to be seen once it's in the wild and getting hammered on.

That'll happen when it ships as part of iOS 7 this fall. In the meantime, let me know - do you currently plan to use it?

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • The sharing of the device is the odd part. As the owner can you grant access in layers or is it all or nothing? I can see where this could get complicated pretty fast if you give the user the granularity that they will likely be screaming for the minute they implement this. Besides, Apple is a very large target. Hackers working for fun, profit or espionage are likely taking shots at Apple every second....just like every other major company. I don't think I can afford that much convenience. I think I'll stick with my cumbersome, paranoid, old-school security setup. My password DB in a hidden Truecrypt volume is of little interest to anyone.
  • My current password stable is so dumbed down butt backwards canine minded it would take an imbecile to figure them out That said I will keep my eye on this keychain thing even thou I use a different OP for phone tablet and laptop Sent from the iMore App
  • How will icloud keychain work with apps? It has to right? No one could remember all those unique passwords.. Most of us use a banking, credit card, insurance etc etc apps. are we copying and pasting every time we want to enter an app? Can't have one password for your desktop (safari) and another for an app....
  • Rene,
    Can you please do a video review of how icloud keychain works, ex: showing how passwords fill in etc. I've searched YouTube and Internet, nothing around. Thanks.
  • Once iOS 7 launches and it's no longer under NDA, absolutely.
  • thanks
  • I have been assuming that iCloud would remember the login data and the fingerprint authenticator would then insert the stored data into the login fields. Yes? No?
  • It seems that this feature must be enabled manually in the settings. Seems to work great, and it's very nice having it built into safari.
  • Will this make easier or harder for the NSA to access our data? I'm guessing easier. "It's almost impossible for we mere humans...pseudo-random-enough passwords ensures something that's not predictable or easily guessed" - that's nonsense. Unlike computers, humans can and do create random sequences, but both are equally vulnerable to brute force attacks, there is no real advantage from computer generated over human generated passwords. Granted that people usually do not try to create random passwords, but that's another matter, the point is that they are perfectly able to do so.
  • To further the point, altough true randomness is still open for debate, its easier to study thousands of passwords generated by the same system, than thousands of passwords generated by the same person, which would probably make human generated passwords safer than computer generated ones, given that the the person is trying to generate random passwords.
  • I've used OnePassword on my iOS and OSX devices for several years now and have used their password generator to create what must be 100's of passwords by now. It happily and effortlessly synces the data between all of them. My only complaint is that their internal browser required for use with iOS devicises is a very gludgey solution. I do all my browsing in Safari so the iOS7's integrated Keychain could be a very tempting solution. My biggest question is will there be a simple way to import all the passwords I've already generated into the Keychain? Or better yet, as Rene hints, perhaps someway the Keychain lets OnePassword work more seamlessly with Safari...
  • Sadly, as Rene has eluded to, there are too many niche cases where this will actually put a stop to any productive work I'm doing. I am all Mac/iOS at home, but work in the Windows world at work. There are also too many apps that don't use Safari but their own login (i.e. the majority). And since Safari ceased at 5.1.7, I can't see Apple releasing Safari 6 (or 7 later). And even if they did, I can't use Safari at work. So either a) I need to not use this, and use a complex (but common) password, or varitions of it, for most of my stuff, b) go through the pain of manually plugging in passwords on the Windows machine (assuming I can gain access to plain text versions of the passwords on the device with authentication), for each site/app I want to access, or c) go with a third party, cross-platform solution. I'm leaning toward a at this point. At some point, I'm going to not have access to all my passwords when I need them, and need a way to access it and plug it in, without remembering a standard password or variation of said password.