If I understand the question, the answer is worse than @glennf said. Recently I needed to re-authenticate for iCloud access on a Macintosh, and part of the process asked for something like the password you use to access this computer. It turned out that it wanted the Admin password for that computer, not the password of the user account that needed to re-authenticate. Similarly, an iOS device asked for the password for a Macintosh computer, but didn’t specify which account. Apple surely could have designed a better interface.
Yes, I think this security feature is poorly explained, undocumented, and confusing, despite having a worthwhile purpose that shouldn’t be bypassed. As I note, if you try to search for the message you see on your Apple product at an Apple site, there’s no information. It has the feeling of phishing or malware.
1 Like
Do you have an idea if the rather old assessment from
Andrey Belenko (https://speakerdeck.com/belenko/on-the-security-of-the-icloud-keychain) is still valid?
Hello, apologies for responding to an older thread but this is only one of about three hits I get when researching this issue. Which has me surprised there isn’t more uproar. I first encountered it today and I am a bit outraged.
Despite the “security” I just find it atrocious that my Phone wants my Computer password. I guess I’m fairly privacy minded and consider my local password to be very sensitive. It’s what controls access to my local machine and hard drive after all. That Apple is somehow using it for this purpose without my knowledge has me very upset.
-
Apple at least needs to make it clear that it is being used for this purpose. They are usually so good about using the Privacy Icon and “how your data is managed” links during the setup screens. It is not clear at all that your computer password is also going to be used to verify iCloud stuff.
-
There needs to be an opt-out. I’d much rather use a random passphrase to verify iCloud than my sensitive computer password. Or even like a random credit card number or something.
Despite the “security”, this seems more like a “backdoor” to me. For instance, I had used a much less secure login password on my wife’s computer… and now I see that it is a valid one for authenticating iCloud. If I have different logins on 3-4 computers, now any of them can be used to verify my iCloud? No thanks. Of course now that I know I can choose better passwords… but the problem still remains that I don’t want my computer password to be used in this way.
(Isn’t there an option to use your iCloud password as your computer password anyway? I specifically don’t do that because I don’t want my computer password “in the cloud”, even encrypted.)
Anyway, I’m pretty surprised there isn’t more chatter about this on the web. Seem like a very bad use of computer passwords and it’s downright freaky that my Phone wants to know my Computer password or vice versa.
Thanks for letting me vent. I called and sent feedback to Apple but I’m not confident it will even be read, much less acted on.
Oh, one other thing I picked up at another link. This also seems to be related to the T1/T2 chip. My Phone only gave me the option to enter the password on my new Mac Studio, and MacBook Pro. My older iMac wasn’t an option. So I think this is why I am just seeing this now. I have been using a 2014 iMac until fairly recently.
I confess that I was absolutely baffled about it the first time I saw it. It took a while to work through whether it was a good or bad idea.
This is the crux: it’s terribly explained and hasn’t gotten better.
There’s no good way to do that because of how Apple secures each device. So the “opt-out” is “don’t use iCloud Keychain.” Otherwise, Apple would be providing a way for a malicious party to potentially generate or obtain encryption information that could be used to join a sync set.
Not precisely—but this goes back to Apple’s bad explanation. The password doesn’t leave your device. Let’s say you’re on an iPhone and it prompts you to enter your iMac’s password. Apple uses the password hash on the iMac to secure the iCloud Keychain keys. Apple doesn’t know your iMac password. The password isn’t sent to your iPhone—it’s only used to encrypt the iCloud Keychain pairing information. On your iPhone, you enter the iMac password. That password is used to generate the hash to unlock the iCloud Keychain pairing keys. The password never leaves your iPhone and the hash is destroyed.
4 Likes
Presumably, it should be possible to use the password from any device in the sync-set, since each one’s password (or biometrics) are valid for generating these hashes.
Is that iMac using an iCloud Keychain? If it isn’t then it’s not in the sync-set.
If it is, then I have no explanation.
Thanks very much for the replies!
I admit to not fully understanding the technology, but it seems like an “iCloud Security Code” or just anything else could work. Apple is generating a hash or something with my computer password. I don’t see why it can’t it use some other piece of info I enter on my device instead. I’d be happier with almost anything else than my computer password. Even my birthday or something. I feel confident enough with the 2FA by itself, and I guess I do appreciate the extra security for the end-to-end encrypted stuff. But just hate that it uses my computer login.
The Apple Representative did say I could turn off 2FA but of course that’s not a good alternative! 
You can set an “iCloud Recovery Password” which I might try. But I’m pretty sure that’s just for if you forget your iCloud password and not for this purpose.
Apple could keep the simplicity if it defaulted to your device passcodes but allowed an alternative passphrase. But perhaps that’s just not possible as you say. /sigh
The old iMac was not using iCloud Keychain, but it did have “Home” as in Homekit turned on which is part of the end-to-end encrypted data according to here but maybe only Keychain counts:
https://support.apple.com/en-us/HT202303
I don’t think I have any of the other end-to-end things on, but often when setting up a new machine you have to turn stuff off manually, so maybe some of those things defaulted to on? Like I have never intentionally used iCloud Keychain but I think I have found it on from time to time when setting up new devices.
Regardless of what triggers it. It seems I have to live with Apple using my passwords in this way. I’m trying to decide if I should be paranoid enough to demote my computer user accounts using iCloud to non-admin status and set up a dedicated admin user. I suppose there are other security reasons to do that but I haven’t felt the need before…
Oh… if you refuse to enter any passwords, it gives you the option to reset end-to-end encrypted data. Presumably I’m not using any of it from iCloud anyway, so I could just reset it. But that doesn’t change the problem that I feel my computer passwords are now being used in a way I’m uncomfortable with.
Apple wants iCloud Keychain security tied deeply to device possession and a high level of permission. A code can be stolen; your password to another device, unlikely. They build this level of security based on what they see in hacking, so there is probably a really good reason they won’t disclose as to why they went to this level. You can simply opt to not use iCloud Keychain, is their philosophy; you could use 1Password, LastPass, etc., and rely on a different model for security.
Also, you can’t turn 2FA off—two weeks after it’s enabled on an Apple ID account, it can never be turned off. So that’s bad advice from an Apple rep.
3 Likes
Thanks again for your response. It does help me feel a little more comfortable with what’s going on.
I will say it seems to be more than just iCloud Keychain (which I have turned off) otherwise I would consider using a different PW manager. I think it must happen when you use anything that is end-to-end encrypted as listed in the apple support doc. Although I don’t even have much (or any) of that stuff turned on. (After signing into iCloud for the first time, Siri and Home always default to on which I have to turn off.) Not sure if you can turn off stuff like Maps and Wi-Fi passwords which is perhaps why it is triggering for me.
Can I clarify my understanding with a specific example? Let’s say I have a crazy random iCloud login password and several devices with crazy random passcodes as part of my account, but then I add a device with the passcode ‘1234’. Does this implementation mean that anyone (Apple, hacker, etc) who just gets Apple’s copy of my end-to-end encrypted data could decrypt it if they could guess the passcode ‘1234’?
My understanding is that the answer is no, because the ultimate end-to-end encryption key (private key) is also tied to the individual device itself, so that copy of the data would only be useful/unencryptable on the actual device with the weak passcode ‘1234’. Is this right?
i.e. Fundamentally, the security of the server copy of my end-to-end encrypted data is not tied to the strength of the device passcode, even though when I enter my device passcode in this prompt it sorta feels like it is?
Yes, the passcode is entangled with the device’s UID. It’s worth reading the full Platform Security Guide if you’re interested; it’s very well done.
No, because “1234” is only the key to unlock the device. The actual decryption key is stored in the device’s Secure Enclave.
One of the key features of the Secure Enclave is that you can write keys into it, but you can never read them back. You use the keys by passing the ciphertext to the crypto chip (T2 or built-in to the A- and M-series SoCs), and the chip sends back the plaintext (if the correct key has been installed).
So, someone using your “1234” passcode could not use it to decrypt intercepted content. Nor could they use it to extract the necessary keys from your phone (if they got access to it).
They could, however, use that passcode to access your phone (again, assuming they got access to it) and use it’s apps to read the data and transfer it elsewhere (e-mail, AirDrop, etc.). They could also use this compromised phone to provide the 2FA authentication needed to authorize a new device for the data (assuming they also had your iCloud password).
In other words, an easily-guessed passcode does reduce security, but only in conjunction with other factors, like the bad guys getting possession of your phone and/or your iCloud password.
2 Likes
Awesome thanks so much I understand much better now!