The Passwords app. In the keynote, Apple spent only a few words on that new system application that is currently being rolled out across billions of Apple devices worldwide via the new OSes. But it’s – in my opinion – the most useful and productive new feature that there is in the update.
It says exactly what it does on the tin: It’s a new password manager for the Apple ecosystem. And it is not even an actual new piece of software: The Passwords app is essentially just a graphical layer on top of the existing password manager for Macs that has been introduced by Apple in 1997 (!): Keychain. However, the Passwords app completely redefines how users can interact with their stored passwords in ways that will render any excuse not to use two-factor-authentication on Apple devices null and void in my opinion.
It is Atrocious that Apple has not Already Introduced Passwords
Let’s talk about the elephant in the room first: It is an absolute atrocity that Apple hasn’t had this app years ago. Authentication is a delicate matter because if you get it wrong, people’s accounts can quickly get hijacked. But it is not rocket science. Every programming language has some library that defines some methods that allow you to do something something crypto (graphic, not bros). So the necessary technology has been on Apple devices for decades. Yet, Apple decided we don’t need such an app it until now.
Of course, one factor is that Apple already had a proper password manager built-in that worked with Apple-owned software – but nobody else’s. I would argue that it’s a pretty bad premise for security to hope that users want to use your password manager, and so they’ll use your browser instead of another one. Because users won’t care. They want to use Firefox? They’ll use it. They need a password manager with it? They’re going to download some third-party one.
The other factor, I think, may be that Apple did have a password manager for almost three decades at this point: Keychain. So from a perspective of the people who built the software, the requirement was already fulfilled. What they probably didn’t think of is: people who aren’t familiar with how Keychain is used probably didn’t use it properly. And so Apple unwillingly participated in the continuation of users either using “password123” for their Facebook account or having every password leaked by LastPass in 2022. This is not good looks for a company that often paints itself in a cloak of privacy-awareness.
This is even more atrocious because one of the most common security features for accounts nowadays is two-factor-authentication (2FA) using TOTP that requires an external app to generate single-use codes for login. Why is this atrocious? Well, on Android Google had its own Authenticator since 2010. That was fourteen years ago. But on iOS, the tight App Store regulation meant that there are maybe one or two usable TOTP authenticators available. Because developers need to bother going through that tedious review process. And even then, bad things can happen; such as with Raivo – the TOTP app that I have been using for years before it fully deleted all my TOTP tokens earlier this year, essentially locking me out of all of my accounts.
In short, Android phone users had a pretty good time using 2FA for the past decade, while on iOS this was not the case. With Passwords, all this changes.
Authentication on the Internet and KeyChain
Let’s first go back a bit in history to understand why I believe this to be such a game changer.
Apple realized early on that users probably don’t want to memorize all of their login credentials, and so they introduced Keychain. In a nutshell, Keychain is a piece of software that can store and manage a wide variety of credentials securely by storing them in encrypted files on your Apple device. Its use-cases go far beyond simple online accounts. Keychain can manage TLS certificates (those that make a website connection secure), code certificates, GPG keys, and whatever else you can imagine authentication-wise.
However, Keychain is pretty user-unfriendly. If you have never opened it, the app to use is called Keychain Access, so feel free to take a look. It saves WiFi-credentials, app accounts, certificates, tokens, and various other things. If you ever need to look up a password in there, you’re going to have a bad time.
But that was rarely a problem as Apple has deeply integrated Keychain with its own software. If you usually use Safari on your Mac, it will prompt you to save your login details, or fill in the login form for you. On iPhone and iPad, this even works across applications, as it is part of the virtual keyboard software. So typically you are using Keychain without even realizing it.
However, there are many situations in which Keychain can break down. Imagine you have had to reset your password outside the Apple ecosystem – how do you change it? Well, by removing in from Keychain and re-adding it. And can you use it for 2FA with TOTP? No. There is a key involved, and you can definitely store that in Keychain, but the TOTP algorithm requires using this key to calculate some one-time code. And while Keychain can provide you with that key, it can’t calculate codes for you.
The Passwords App: A New Way of Interacting With Keychain
This is where the new Passwords App comes in. It still uses the Keychain technology under the hood, but it provides you with a much better interface. First, it doesn’t show you any of the stored TLS certificates, no GPG tokens or anything else that you usually don’t use.
Instead, it offers you a very simple interface on top of your existing Keychain that shows you your passkeys, TOTP codes, and WiFi-credentials separately. It also calculates TOTP codes so that you can enter those when needed. And of course the existing easy integration with Apple’s own software still works as before.
I think the Passwords app has made password management better for everyone. On the one hand, now you can use any type of authentication method independently of whether Apple’s auto-detection of password fields actually works. This includes using a third-party browser, such as Firefox.
On the other hand, now you have a free password manager that works exactly like the ones you may already be using – such as BitWarden or 1Password – but without using any third-party software. I always want to be in control of my passwords, and the only way of doing that would’ve been to set up a BitWarden server, which I never bothered to. While Keychain is still proprietary, I do trust Apple more than smaller companies at ensuring that I will get to my data no matter what – especially in light of what happened to LastPass.
In short, the Passwords app is a really low-threshold entry of finally starting to use a password manager. It combines all login functionality in a very handy interface that is still secure, because everything is locked with your biometrics.
The Passwords app really shows how with a very simple app (I believe a seasoned Apple developer could hack something like this together in maybe two weeks; with robust testing half a year) you can greatly improve user security, simply by providing a proper and well-thought-out user interface.
I, for one, have actually started using the Passwords app, migrated all my TOTP tokens to there, and plan on using that one for storing my passwords. And if you haven’t been using a password manager until now, but you own any Apple device, I ask you: What will it take to use a password manager?
Final Thoughts
Aside from the fact that Apple should’ve done this years ago, I believe the Passwords app is one of the game changer features of the new Apple Operating Systems. It finally makes passwords easy across the entire ecosystem and helps us to get rid of potentially shady authenticator apps that may even ask us to pay money to use it.
Online security won’t get any easier, so I take whatever I can to make the management of that simpler. And a functional, basic TOTP app is such a thing.
