Add Two-Factor Codes to Password Entries in iOS 15, iPadOS 15, and Safari 15

Originally published at: Add Two-Factor Codes to Password Entries in iOS 15, iPadOS 15, and Safari 15 - TidBITS

With iOS 15, iPadOS 15, and Safari 15 for macOS, you can add two-factor authentication codes directly to password entries. When you log into a website or app later, the token auto-fills, saving fuss.

I assume this syncs across platforms (MacOS, iPadOS and IOS) for all devices logged into the same Apple ID? I don’t think that was made clear in the article (though I may have missed it).

It syncs via iCloud Keychain like all other passwords and associated details if you have iCloud Keychain enabled. But we did not mention that!

…and now we’ve updated the article. Thanks for the catch!

1 Like

I’m surprised apple would do something like this. Doesn’t this completely defeats the purpose of having 2 factors? When they are both stored together and autocompleted by the same system?

1 Like

It’s not obvious, but it doesn’t violate the principle: something you know and something you have:

  • A password can be possessed by anyone and, between times you change it, it’s fixed. In most, nearly all cases, someone can login from anywhere in the world knowing the email address or account name and password for an account.
  • A second factor that is something you have has to be provably in your possession. The way to do that is to slice time—because that means you had a thing in your hand (probably) at an exact point in time. Because there’s an enrollment for 2FA, the secret part is settled then. The secret typically cannot be extracted, only a new one generated, which often results in an email notification that it happened.

The Apple verification code in Passwords is much more reliable than an SMS as a result. You have to have an iPhone, iPad, or Mac, be able to unlock it, and be able to validate your access to the code with password, Touch ID, or Face ID as well.

2 Likes

But if somebody has your password, they can use it both as the password and also to get the token, right? Isn’t the problem that Apple is putting the token beind the same system that also safeguards your other password? In that sense the two are no longer independent. Sure, initially the secret was exchanged and linked to you. But if now in the meantime your password has become compromised and somebody else claims to be you, how does this system stop them? I realize SMS can be a problem (if you cannot protect yourself from SIM hijacking), but at least there it appears the two systems used for authentication are entirely independent. A phone number and an iCloud account. Same goes for the little code generator fobs. But having your password locked by the same system that is locking your second token? Not sure how that can be considered 2 independent factors.

1 Like

No, because the items stored by Apple in a local keychain are only accessible on the device and only with an administrative password on a Mac (or in some cases, Touch ID), or the device password, Touch ID, or Face ID (depending on circumstances) in iOS and IPadOS.

If iCloud Keychain is enabled, there is no access to password entries, including the stored secrets for TOTPs, except on validated end-point devices: any of your iPhones, iPads, or Macs. To add a device to iCloud and have it gain access to iCloud Keychain or enable iCloud Keychain on a device already logged into iCloud, you have to go through a validation process that requires entering the device password of another device in the set in order to receive appropriate encryption keys.

So the only way someone can access a stored verification code:

  • Gain access to your device and know the device password to unlock it. If they already can do that, it’s somewhat game over in general.
  • Use another device to add it to your iCloud Keychain set. To do that, they have to know your iCloud account name and password, obtain a two-factor validation code, and then enter the device password of another one of your pieces of hardware. In the meantime, email will be sent for the login to the Apple ID account’s registered address.

So I don’t see how someone can gain access to both the password on your device and the TOTP without the conditions above, which means that someone has heavily compromised you already. An additional safeguard would be not using Apple’s system, but a third-party one, like 1Password, and relying on a separate strong password to unlock the 1Password vault. But if someone has managed to obtain all your other keys and secrets, I can’t imagine that however you stored the 1Password secret (unless memorized), it wouldn’t be obtainable too.

1 Like

Well with this system, yes.

But if you didn’t get your token from that same system, but instead from something independent like SMS or a code fob, you’d still have a fighting chance. When push comes to shove, I don’t know how much time I’ll need to set up new iCloud password, block accounts, or lock my stolen device. But I’d like to know I have given myself at least some, and not nothing at all.

I guess I just don’t like the idea of putting all eggs in one basket, even if that basket is very convenient. Personally, I’d prefer focusing on what fixes the other basket (so, for example, ensuring SMS tokens are safe because SIM jacking has been prevented) than getting rid of the second basket altogether. To that extent, in the US (where I suppose this problem is most prevalent) customers can ask T-Mobile to secure their SIM/phone number from transferral. I’d expect other carriers have similar systems in place. In two countries I worked in Europe I already knew nothing would happen to my SIM/number without me showing up with government photo ID in their store first. IMHO the way it should be.

There is nothing forcing you to add 2FA codes to iCloud Keychain, so, don’t. Use another method instead. Probably the safest for you is a fob or device such as a Yubikey. But Glenn’s response is correct. In order for somebody to gain access to your iCloud Keychain, there are a lot of hoops to jump through, and the iCloud Keychain is end to end encrypted; Apple even cannot access without the passphrase to one of your trusted devices.

I have one or two accounts with 2FA in my 1Password vault, just for convenience, but they are accounts I really don’t care about all that much. Most of my totp 2FA codes are stored in another way.

2 Likes

To answer this part, though all US carriers allow customers to add some sort of PIN to their account to prevent sim-jacking, there are reports of thieves who are able to sim-jack simply by bribing customer service agents when they call. So it’s not a perfect solution.

One of the nice things about using a password manager without 2FA is allowing someone take over your identity in an emergency or death.

In the case of LastPass, for example, you designate your executor as “trusted” in Emergency Access and specify how long you have to deny an access request. Then, when the time comes, all the executor needs to do is request access to your password vault and wait the specified time. (Obviously, the denial period has to be long enough that in normal situations you are confident that you’d get the request in time to deny it. The assumption is that if haven’t denied the request within this period, you must be incapacitated.)

For a better explanation, see:

How can you give your executor your digital legacy with 2FA turned on?

1 Like

I have used TOTP authentication for many years now. At first it was just a few sites. When 1Password implemented it I moved over from Google Authenticator. As soon as a new site offers TOTP I add it to 1Password. I do not use apple key-chain except for wifi passwords. I wonder if the user interface with Apples password management is working better than 1Passwords. Is this a reason for me to move over TOTP sites to Apple’s password management?

One other thing. I guess Apple’s password management only works for Safari?

FWIW I’m now using this implementation to access 1Password.com itself

Smart, thanks for the tip!

Is the TOTP information included in password-protected iOS backups?

Great question. Password items are only included in encrypted local backups made via iTunes (pre-Catalina) or the Finder; they are not included in unencrypted local backups, nor in iCloud backups.

Keychain entries are only synced among devices using end-to-end encryption, so they’re not available in an Apple-encrypted form (only a device-encrypted one) on iCloud.com.

Oh, interesting. That makes sense—you need them backed up if you back up to the Mac and don’t use iCloud at all. But if you do use iCloud, as long as you turn on iCloud Keychain, they’re essentially backed up there, even if you have only one device.

Still too much work needed to use two-factor authentication for it to be worthwhile using. (But may change my mind if I get fully hacked – had to change passwords a few times, including Apple forcing me at one time for one account, and they had partly guessed a password in a phishing message, but nothing serious for the last 30 years – worst has been Yahoo refusing me to gain access to my own account, but no serious people has used them lately anyway …).

After the fact, accounts and ToTP managers do not give you ready access to the secret (which is encoded in the QR code). That’s because it’s highly risky to do so. However, I have several ToTP programs, some more convenient in some situations than others, and some don’t share across devices and OSes. And if a particular app ceases being supported, I want a fall-back. So recognizing that this is risky, I save the QR codes (or secrets) to print, and add them to all my ToTP apps. I store the printouts in a safe place.

It’s been quite a while since this article was written, but here’s some information that is new since it was written:

  • Google Authenticator now gives you the option to synchronize devices via your Google account. I keep it turned off, but you can do it.

  • Google Authenticator lets you export TOTP seeds. You select the ones you want to export and it generates a QR code, which you can scan from another device. This makes it possible to migrate codes to new phones/devices without needing to sync them through Google’s cloud servers.

    You can also screen-shot that QR code if you want to archive a copy of your seeds. Of course, keep this image very secure, since it will grant an attacker access to any accounts secured by those TOTP codes. I keep a printed copy in a locked file cabinet for emergency use only. You could also use this to migrate from Google Authenticator to Apple’s system, should you not be able to import the code directly.

4 Likes