Apple's iOS 14 May Turn iCloud Keychain Into a True 1Password and LastPass Competitor (theverge.com) 28
Apple's native iOS password manager may be getting an overhaul later this year with the presumed release of iOS 14 that will make it more competitive with third-party options like 1Password and LastPass, reports 9to5Mac. From a report: Right now, iCloud Keychain can store your passwords and help autofill them on the iPhone, where copying and pasting long strings of letters and numbers or manually doing so has been a headache since the advent of the mobile touchscreen. But it doesn't have reminders for changing those passwords like competitors do, and it doesn't support two-factor authentication (2FA) options. That means users are still stuck using potentially insecure methods like SMS or email in the event that they do have 2FA set up.
It does do reminders (Score:2)
I use iCloud Keychain, and at times when using it on the web I see complaints from it when it thinks a password is too insecure.
Maybe that feature is not on iOS yet, though I thought I saw it there.
Re:It does do reminders (Score:4, Informative)
1. Some websites find the passwords incompatible. Either Apple is too complex, or not complex enough. That really sucks. I have to make up a random password.
2. Password fields these days occur on pages after the user enters their login information. So it doesn't capture the username (damn you, Microsoft!). Some pages fix this now where it allows you to chose the username in the password dropdown. (Citibank credit cards still broken)
3. Integration with the ssh command in terminal would be a god-send.
4. Updating and saving the password in one application (like updating a password on the web) should automatically sync with other apps that consume the password. (tokenization of credentials for Apps would solve this)
5. Keychain should log every time a password was accessed, so you can see passwords that are stale or no longer relevant.
6. 2-factor keychain entry on iPhone works well. On Mac, they just ignore it IF there is no Touch-ID (Mac Pro). Works just fine on MacBook Pro.
7. iPhone keychain only shows app passwords. Doesn't show Wifi Passwords (why?)
Overall, I think one of the most important requirements here would be a more consistent implementation from software developers. I do wish Apple would automatically make passwords keychain-compatible during the app-review process. Its annoying how some apps work flawlessly with Keychain and discover relevant passwords based on URLs, and others just don't integrate at all. This seems to be when developers make their own custom password field HTML objects rather than using input type=password tags.
Re: (Score:1)
Thise are all great points, one thing I'll add is that I use a few websites that simply don't seem to register with the password manager (or at least iCloud Keychain), so each time I have to press "login" with empty fields to be taken to a page with password/udername entry fields that Keychain is able to autofill!
Outside the walled garden too? (Score:2, Insightful)
I use lastpass on my linux and windows machines. How is this competitive if I can't use apple's code on them as a universal pw store? Or does this somehow involve Swift+blobs since it's cross platform?
Re:Outside the walled garden too? (Score:5, Informative)
Exactly.
It's not a competitor to LastPass and 1password unless it runs on Android and Windows. I want my password manager to run on all my things, not some subset of all my things which would make password management even more of a hassle.
Re: (Score:1)
You have non-Apple products? Heretic!
Re: (Score:3)
Don't be too harsh. Remember that people who don't use Apple products are also homeless.
Re: (Score:3)
Re: (Score:2)
Reminders... (Score:2)
Re: (Score:2)
So... don't use it? You know you can disable keychain, right?
Chrome (Score:5, Interesting)
Make it available to Chrome and Firefox and make it easier to bring up the generate password feature.
Re: (Score:1)
This. If it's cross platform, then it's useful. If it's Apple only, it isn't. I do have an iPad mini, but I don't have any other apple hardware, nor do I plan to. It's all Linux, Android, and a Windows gaming computer + consoles for me.
I'm a former 1Password fan (Score:2)
When 1Password went monthly subscription, I found that Apple Keychain had improved over the years to the point of being just as good as the version of 1Password I had, so I switched to using Keychain and Safari Autofill as an alternative. Works just fine, and synchs to all my devices. It does not have its own two-factor, but when you do sign up for a two-factor site, macOS recognizes the text as a logon and sets up a one-click fill for you. No more having to copy over the two-factor code from your phone.
Re: (Score:1)
Re: (Score:2)
Not sure how he managed to do that. I've copied the Keychain data files to different machines and they've worked fine. I never used the iCloud synchronisation though, and I last used it with 10.6, so they could have screwed it up since then.
Not cross platform so no way a competitor (Score:5, Insightful)
Re: (Score:1)
This is a feature not a bug.
I wouldnt trust LastPass or any other program or trust any other OS to have access to my keychain.
Re: (Score:2)
Exactly. Besides which, 1Password and others haven't sat on their laurels. At this point, even if Keychain went cross-platform it'd need to add family account management before I'd ever consider it.
My wife and I have our own vaults for personal accounts, plus a shared vault where our joint accounts are kept for things like utilities, Netflix, etc.. I also have elderly parents, and 1Password has been a lifesaver on more than one occasion. As the account admin, I've been able to pull up their vaults to provid
Re: (Score:2)
Apple wants their users to use all their Apple products and services. :(
On Android and Windows too? (Score:3)
Reminders? Meh (Score:2)
And people can set their own reminders, whereas people can not make an application they don't control suddenly support 2-factor authentication. So imo the latter is more important than the former. I wou
Password managers (Score:2)
Scare the bejesus out of me.
Weren't we taught long ago to NOT put all our eggs in one basket?
Humans are lazy.........
Not quite... (Score:2)
It won't replace 1password until
1. Multiplatform
2. Multi-identity: I have work/personal appleId's and need to access both sets of passwords.
3. Peer to peer/Offline storage: Storing all the passwords in a single online seems like a terrible security risk.
4. Have any concept of history: Mistakes/errors happen, history is important.
Password Management Options (Score:3)
Between Apple, Google, and Microsoft, I'd wager that Apple is the least-likely of the bunch to be incompetent or malicious with password storage. Given that too many people I know keep their passwords on their iPhones in clear text in their Notes, I'd consider a Keychain app a step up.
That being said, here's a few password managers worth taking a look at:
Team Password Manager [teampasswordmanager.com]. Not free and not open source, but cheap and self-hosted. The developer is responsive and releases updates regularly. While admittedly it is limited to only having a Chrome extension and Android app beyond the webUI (i.e. no Firefox or iOS options), it does have both of those. 2FA is limited to Google Authenticator, which is a pain on mobile devices, but an option.
Teampass [teampass.net]. Free and legit Open Source, but it loses past that. The WebUI isn't exactly usable on mobile devices, but it easily has the most granular per-user permissions of the lot. There's an iOS app for it, but it requires an API to be added to the server side, installed separately, and I personally wasn't too successful when I tried. The only browser extension is for Firefox, requires the API, and is written by a third party (though hosted on Github). Still, if desktop-only access is okay, then it's one of the fastest and lightest weight in that context. As an added bonus, it supports both Google Authenticator and Duo for 2FA, and is one of the few that do.
Bitwarden [bitwarden.com]. As far as feature completeness goes in the self-hosted password manager department, Bitwarden is without equal. Android and iOS apps, extensions for all the major browsers (including Opera and Edge?!), a CLI interface if you prefer, 2FA through Duo (if you want to pony up) and Google Authenticator (if you don't)...and plenty of other features one would want - an impressive lot for a free offering. That said, I personally found the UI to be pretty, but difficult to get it to do exactly what I wanted.
Nextcloud [nextcloud.com]. I use this program to keep data on my phone synced back to my server at home; it's got a plugin for everything from photos to contacts to browser bookmarks to SMS...and one for password management. It's definitely not a do-one-thing-and-do-it-well option, and it is missing a lot of functionality of pure password managers, but as one more extension to an ecosystem and in comparison to Keychain, it's definitely an option.
And, for those who don't want to do the client/server thing, KeePass and its cross-platform cousin KeePassXC are fantastic local applications.
The options are extensive from there; Passbolt, Psono, and Syspass all get honorable mentions, with a list a mile long [alternativeto.net] of other options that span the gamut from FLOSS to commercial, file-based to cloud-based, sharing to personal.
Apple extending the functionality of Keychain is good in that, if users stop using their 'notes' as a password manager, it's a step up. However, it's far from a requirement.