Blog Post

iCloud’s new Keychain service remembers more than it can manage

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Along with all of the OS X Mavericks 10.9 and iOS 7.0.3 updates that came out earlier this week, iCloud Keychain support was also introduced. Prior to iCloud Keychain, each Apple device would individually give you the opportunity to remember your various account’s user names and passwords. This new iCloud service will allow you to sync all of your user names and passwords across all of your approved iOS and OS X devices. That way when you update or add a new user name and password to one of your devices, all the rest of your devices get the same update.

Here’s how it works

Setting up iCloud Keychain on your device

To start the setup process, you need to turn on the Keychain Service for the iCloud account you use on each device. On iOS this is done from the iCloud section of the Settings app and on OS X this is done from the iCloud section of the Systems Preferences app. The setup process then requires that each of your devices do a sort of hand shake with one another. Each new device you set up needs to be “approved” by one of the other devices that is already sharing access to your Keychain.

iCloud Keychain Approval Process

There are two ways to approve a new device. The first is to send an approval notification request to one of your other devices. Once you receive the notification on the second device, you can approve the new device that sent the request by entering your iCloud account password.

The alternative is to use your iCloud Security Code to approve your new device directly. You will establish your iCloud Security Code the first time you enable iCloud Keychain on the very first device that uses iCloud Keychain. It is basically a four digit PIN that is used to approve new devices. Be careful when using this security code, enter the wrong code too many times and your Keychain will be deleted.

Adding a new user name and password

The process is pretty much the same on both iOS and OS X when using Safari to access a secure site online. Each new secure web site you log on to will prompt you to remember the ID and password for that site. You can elect to remember the user name and password for that site, never remember, or ask at a later time. As soon as your user name and password is set, it is shared with all of the other devices that have been approved to share your iCloud Keychain.

Keychain Password Suggestion

When you create an account on a web site for the first time, you will be given a chance to have Keychain recommend a strong password for you to use. This will certainly help out individuals that up until now have been using simple easy to remember passwords. While this does tend to lead to a set it once and forget it mentality, you can still access the list or user names and passwords that have already been saved.

Accessing existing user names and passwords

On iOS, you can access the web-based user names and passwords used by Safari from within the Settings app. Under the Passwords & AutoFill section of the Safari settings, you will now see a Saved Passwords item. This is where you can review the list of user names and passwords that have been saved to your Keychain. Selecting any one of the accounts will reveal the Website Address, User Name and Password for the account. You can even tap and hold to copy any of the stored information to the clipboard. This is the only way you can access your saved passwords for use in third-party apps that do not already support the Keychain API. For instance, if you want to use your LinkedIn password in the native iOS LinkedIn app.

Accessing Keychain Password Information

On OS X you can also access the same account information from the Passwords tab in Safari’s Preferences. In addition to Safari, you can also review all of the accounts stored in your iCloud Keychain by using the Keychain utility app on OS X.

Not the most user-friendly of OS X apps, the Keychain utility has been around for a long time. With it you can search, import, export and even delete accounts from your Keychain. The thing to keep in mind is that it was originally designed for Keychain maintenance, not user account password management.

More than just user names and passwords

In addition to user names and passwords, Keychain will also remember and sync your credit card information to all of your devices. As a sort of alternate to what one may expect from the Passbook app, you can enter your credit card information for use by Safari when making purchases online.

Keychain Credit Card Information

Another interesting feature of the new iCloud Keychain feature is that it will also remember your Wi-Fi access point security information. This helps keep you connected to your Wi-Fi access points from all of your devices by eliminating the need to re-enter the same access point information over and over again.

More than just websites too

The list of user names and passwords is not restricted to just websites accessed by Safari. Developers can integrate iCloud Keychain support into their apps, which will allow your device to store and share all of your apps user names and passwords. Until such support is more widely adopted, using your iCloud Keychain to manage the user names and passwords for your native apps will be a cumbersome experience. Having to navigate down several levels deep into the Settings app is quite a task. And there is currently no way on iOS to enter new user names and passwords directly.

Lack of management and customization is a feature

The other missing feature that iCloud Keychain lacks when compared to traditional password managers is the ability to customize your account information by entering additional fields. You will also not find any way of categorizing or tagging your accounts to help find them faster. The whole idea is that you should not need to know that you have a user name and password in the first place.

So before I abandon a fully featured password management app like mSevenSoftware’s mSecure or AgileBits’ 1Password, iClloud Keychain will need to create its own app for proper management of my secure information. I like to also keep track of combination locks, bank accounts, and other information that is not necessarily used to log into an online service. iCloud Keychain is not suited for such a task.

However, as this service begins to catch on and is adopted by more and more apps, I may stop managing my online login credentials in my favorite password management app, for that is the one thing that iCloud Keychain does very well indeed.

Featured image courtesy Shutterstock user alexmillos.

13 Responses to “iCloud’s new Keychain service remembers more than it can manage”

  1. Steven Fox

    Thanks for the useful article. I’ve set up iCloud Keychain on both my Macbook and iPhone and am mostly happy with it, but I’m concerned about what happens if I lose my phone. If by chance somebody has my phone password or it was unlocked at the time it was lost or stolen, how do I remotely remove my phone’s access to the keychain? I know that I can completely erase the phone’s contents using Find My iPhone, is that the only solution?

    • I believe you are correct. The only way I can seem to find is by remotely wiping the device the way you describe. There does not seem to be a way to remove a device from iCloud Keychain when you are ‘away’ from the device.

      If you think about it though, the keychain data is actually synced to the device. So simply removing the account from iCloud Keychain (on the cloud side of the equation) would not erase the user names and passwords on the device. A remote wipe is the best course of action to take anyway. That and going through the process of changing every single password for every single service you have.

      Keep in mind that this is not a different situation than what existed before. Prior to iCloud Keychain, each device would still ‘remember’ your usernames and passwords separately. What has changed is that now all of the data is synced across all of your devices.

  2. Good point. But I on my own have several gmail accounts (personal, shopping/spam catching, business) and accounts at my bank (mine, ours, business).

    It is a nice benefit of 1password to allow one to choose among several logins.

  3. The other disappointment is it doesn’t seem to allow more than 1 username and password per URL. We have different accounts and passwords for each family members account at our banks.

      • Good point. But I on my own have several gmail accounts (personal, shopping/spam catching, business) and accounts at my bank (mine, ours, business).

        It is a nice benefit of 1password to allow one to choose among several logins.

        • Jeremy Wollard

          I agree. The AT&T site immediately comes to mind where I have three separate accounts (2 phones and tv). 1password allows the flexibility to choose from a number of credentials. It would be nice to sE this in keychain as well in the future.

    • Because it does not really manage usernames and password, it only remembers them, manually overriding a username and password combination for a given site makes Keychain think that you want to forget the existing username and password and remember a new one, not manage an additional one.

      This does suit my needs for the majority of websites that I need to access online.

    • Koen Lageveen

      It dies actually support this. I have 4 google accounts and when I sign in it lets me choose from a list of all those options. Sign out, sig. In with a different account, and it will add that account for that website so you can choose it later on. It is super transparent and easy to use. You can also manually add any number of accounts through the keychain access app. Seriously, have another try, it’s right there.

  4. I wish Apple would integrate iCloud Keychain to their iCloud control panel for windows. While I use iOS mobile devices and have a OS X machine at home, I have to use a Windows machine at work. Until they do that, I (and I am assuming a lot more people) will have to rely on cross-platform applications and services like AgileBits’ 1Password.