Why Apple Asks for Your Passcode or Password with a New Login (and Why It’s Safe)

Originally published at: https://tidbits.com/2019/09/26/why-apple-asks-for-your-passcode-or-password-with-a-new-login-and-why-its-safe/

Logging into a new Apple device may result in a prompt that asks you for the passcode or password of another one of your devices. Glenn Fleishman explains why this happens and why it’s a good idea.

When I got a new phone recently it was asking me for a password and I put in my iCloud password and then realized it was for a MacAir that I keep around and use 2-3 times a year. I thought that was unusual, but knew the (not very secure) password I use with it. Glad this explains why

There has been a longstanding bug in using iTunes to synch between phone and mac. (Apple Support says it is a known bug and that it might be fixed in some future release.) I mention that only to let you know why I have spoken with Apple Support about synching Contacts, three different times over the last some months.

I had never used iCloud, because I keep data in Contacts that I am required by Federal law to not disclose. So I can’t give that data to Apple. Because iCloud is Apple’s recommended option, I have closely questioned the support person about encryption of my data on each of these three calls. Each time I have been told–in no uncertain terms–that Contact data is always encrypted when using iCloud.

Correct me if I am wrong, folks:

  • Contact data is revealed to Apple when iCloud is used for synching.
  • There is no good business reason to not teach every support person that.
    And to insist that they tell customers the facts on every call.
  • There is no technical reason to not encrypt end-to-end.
  • There is no excuse for not providing on-line documentation of the facts.

I’m not quite sure what you’re looking for, but as I understand things, for Apple to display your contacts at iCloud.com, it must have the encryption key necessary to decrypt the data. So the contact data is encrypted in transit and at rest, but Apple could be legally forced to disclose it.

If you follow the link in the article to the page in which Apple explains how it secures different data, it makes it completely clear that contact data is only encrypted in transit by Apple and at rest by Apple using keys Apple has.

I agree! When they built the system, there was. Now, modern browsers all in-browser encryption as I discuss in the article. So if I were Queen or King of Apple, I would be revamping calendars and contacts at the very least to use end-to-end encryption and require using device-based approval to pass decryption information to a browser (the iCloud password shouldn’t be used as I note in the article).

Given Apple can enable Safari to manage Apple Pay from a browser, I am positive they could end-to-end encrypt contact info.

Third-party apps already consult a central repository of information for calendars and contacts, so they would just need perhaps extra permissions in iOS/iPadOS/macOS to make that work with end-to-end encryption.

And Apple does have the keys, so they have the ability to decrypt if required.

I have seen this prompt at least twice, and trial and error convinced me that the message should read something like, “Enter an Admin password that would unlock the Mac…". As I understand the article, that shouldn’t be the case, but I believe entering my user password was never successful.

Very nice article, Glenn. I love it when TidBITS ends up explaining something that not even a serious search on Apple.com or any KB articles would spell out. Big round of applause. :clap: :slight_smile: :+1: :heart_eyes:

I have one question since you mention iCloud Keychain. I have in the past never used it and I admit it’s because I was being deliberately paranoid. To me it just felt a bit too much like putting all eggs in one basket. I figured, if I use that and Apple or I somehow get hacked, that person will not just have access to the hacked device/account or to some passwords, but with iCloud Keychain, that hacker would effectively have ALL my passwords. I use primarily two devices (MBP and Phone) and there’s only a handful of passwords I use on both devices so in the past I felt having to update these passwords twice was a small price to pay for not having all those eggs in that one iCloud basket. But now reading your most interesting article I get the impression that this might have been not just paranoid, but actually misguided because, as I understand, Apple actually never has access to those user/pass combos stored in iCloud Keychain thanks to E2E encryption — only my devices can display those user/pass combos. In essence, even Apple getting seriously hacked (not something I’m actually worried about, but again, for the sake of argument being a tad paranoid) would not be enough to expose my user/pass data. For that to happen, I myself would have to get hacked. Is that correct? In that case I suppose you could reasonably argue, that if I’m being careful enough not to fall victim to social engineering etc. I’d be safer using iCloud Keychain after all since it enables me to use super long and hard passwords that are frequently changed. Am I missing something here in your opinion?

That’s correct. I would never store my passwords in a system in which obtaining a password and plugging it into a Web site would give someone access to my data. Long ago, LastPass had such a password-based central model, while 1Password avoided Web-based access for the same reason. LastPass swapped out to browser-based encryption and no transmission of your password and 1Password added its Web option for the same reason.

iCloud Keychain was engineered from the start with a similar philosophy, which is why I’ve always used it. It has a design philosophy that really requires end-point device and credential acquisition. Even if someone has your iCloud password, they can’t obtain iCloud Keychain entries without the passcode of another device. Even if someone obtains your second factor in a 2FA account, iCloud.com doesn’t make this information available even in encrypted form. You have to be on an Apple device, logged in iCloud, validated with two factor if enabled, and then enter the passcode of another device in your set to even get the data synced!

A compromise of Apple’s systems would require still code changes at iCloud and into iOS, iPadOS, or macOS that would allow password acquisition in order to view your decrypted passwords. Seems very unlikely!

1 Like

Thanks, Glenn. That really helps clarify.

In your experience, are there any pitfalls to turning on iCloud Keychain on your Macs and iDevices when those devices have in the past already been used to save a lot of user/pass data? Anything special to look out for? Or just turn it on and forget?

Great question—because it’s managed through Keychain in iOS/iPadOS and macOS on each device, iCloud Keychain seems to handle merging data sets fine. I can’t think of a problem I’ve had with it.

Really great to know. Many thanks, Glenn! :slight_smile:

I was never notified of the 1.0.3 update to your book, Glenn so I went to my TCO library and downloaded it from there.

I’m not sure how @joe is handling that, so I’ve tagged him in. Do you get other updates?

Thanks for this detailed analysis. I have seen what I imagine is a related behaviour - I have not been able to nail down the circumstances.

But it seems to be that (sometimes) I try to log in to iCloud.com on a desktop browser, and a screen appears wanting a code that it says it has sent to another device. But the code then appears as a popup on that same machine. I enter the code, and all is good. But I don’t feel like this is adding any security! Any ideas?

I have actually written entire articles about this! It’s a little weird, but Apple’s version of a second factor is not fully accepted by security experts as being a true second factor. It’s sometimes a 1.75-factor or some approximate.

When you log in to your Apple ID with two-factor authentication from a computer that is logged in to your iCloud Apple ID, that computer is a trusted device. When you use the browser, the browser (even Safari) has no way to check whether it is running on a trusted advice. It’s probably a bad idea for it even to try.

So when Apple sends you a code on the same device, it’s really a confirmation that you have a trusted device (your computer) in your possession to validate the log in. It feels weird, but it’s two separate modalities: a browser and the trusted device.

Yes, Glenn, I get update notifications of my purchased TCO books; of course I can also click a link in a TCO book to see if there are any updates. I looked for something similar in the 1.0 edition of your book but I didn’t see it.

I don’t get asked for passwords of my other hardware, but I do get asked REPEATEDLY to enter my Apple IDs passwords in Settings in my iDevices even though I have done so ad nauseum.

1 Like