Wiley HodgesJul 12, 2023
Ricky Mondello

‼️🔑 macOS Sonoma brings Apple’s password manager to Google Chrome, Microsoft Edge, and other browsers using their extensions stores with the “iCloud Passwords” browser extension.

You can AutoFill passwords and one-time codes, save new passwords, and right-click QR codes to set up code generators.

If you’re running the macOS Sonoma public or developer beta, you can try it right now!

Chrome: https://chrome.google.com/webstore/detail/icloud-passwords/pejdijmoenmkgeppbflobdenhhabjlaj
Edge: Coming soon.

[*] I am not breaking news here; this is public information.

iCloud-Passwörter

Verwende mit „iCloud-Passwörter“ bei der Anmeldung auf Websites in Chrome Passwörter aus dem iCloud-Schlüsselbund.

Jul 12, 2023 at 6:49pmWeb
Show threadRicky MondelloJul 12, 2023

How this works: the existing “iCloud Passwords” browser extension that Apple ships for Chrome and Edge in conjunction with iCloud for Windows works out of the box on macOS Sonoma.

We don’t have support for Mozilla Firefox at this time, but it’s a request I understand.

Show threadshepJul 12, 2023
@rmondello excitement followed by disappointment (firefox user)
Show threadfumnanyaJul 13, 2023

@shep @rmondello i do remember being this (shady?) thing where someone took the chromium extension and repacked it for firefox…i’m pretty sure i installed it on my mum’s laptop

i’ll look for it later

Show threadDayton LowellJul 12, 2023

@rmondello This is great news Ricky. Thanks for your work on this!

I'd love it if the extension could make 3rd party browsers able to do the Messages/Mail 2FA code autofill magic that Safari can.

Show threadMarcJul 12, 2023
@rmondello i’ve tried the Windows plug-in in the past. For some reason it insists I have a fingerprint reader enabled on Windows, which my IT dept have disabled for *reasons* (compliance thing, apparently)
Show threadfumnanyaJul 13, 2023
@imarc @rmondello Windows Hello PIN isn’t enough?
Show threadMarcJul 13, 2023
@fumnanya @rmondello I think PIN is disabled as well. No idea why, I have the same data on my phone and they allow that to have a PIN. Something to do with being ISOXX compliant.
Show threadNicolas GrillyJul 14, 2023
@imarc @rmondello Interesting they disabled the fingerprint reader for compliance. I'd have thought of the opposite: enabling it for compliance.
Show threadFernando MeyerJul 12, 2023
@rmondello I knew this day would come, they are finally going after 1Password.
Show threadAlan BuxeyJul 12, 2023
@fmeyer @rmondello indeed. I wonder whether bodies like the EU will now look at this as an anti competitive play
Show threadalwillisJul 13, 2023
@alanbuxey @fmeyer I fail to see allowing 3rd party browsers to access passwords as easily as Safari can on macOS as anticompetitive. There are many password managers and this doesn’t affect any of them. If anything, it gives users more choices. Many of us don’t wish to use 3rd party apps for passwords unless there’s no other choice.
Show threadLeon CowleJul 12, 2023

@rmondello Passkeys. MFA codes. Password sharing. Chrome support. The Apple password team is knocking it out the park!

I think it’s time for me to review my use of a paid-for 3rd party password manager!

Show threadtaylor Jul 13, 2023
@leoncowle @rmondello imho, i still would use a third party password manager, ios has a 1 factor security model to unlock almost everything (not including physical possession )
Show threadNicolas GrillyJul 14, 2023
@tay @leoncowle @rmondello I think it is still two factors: something you have (your device), and something you are (your face or fingerprint) or you know (your passcode).
Show threadtaylor Jul 14, 2023

@ngrilly @leoncowle @rmondello I think my main problem is how much trust is put into the pincode on the device. With a pin code you can access: the phone and its data, all passkeys, saved paswords &2FA, change the Apple ID password & change 2FA.

Of course, users should keep their pin safe, but it's common for people to ask someone they know to read a text while they have their hands busy, or, you can look over someone's shoulder and read their 4/6 digit pin.

Show threadNicolas GrillyJul 14, 2023
@tay @leoncowle @rmondello I just tested again on my iPhone and my earlier comment was incorrect. I can't use the passcode to login with a passkey. I have to use FaceID. And I have to confirm the login using FaceID even if my phone is already unlocked. So there is no way someone using your phone can use that to connect to another site or app. That stuff has been really really well thought out.
Show threadLeon CowleJul 14, 2023

@ngrilly @tay @rmondello I believe you're both correct. It IS well thought through (very!), but at the same time, is secured by only your phone's pincode ultimately -- which, if compromised (shoulder surfed, e.g.) can be used to change your AppleID/icloud password and then your FaceID scan, etc. So let's call it a 1.5 Factor 😉

As for 3rd party MFA apps, ... <cont>…

Show threadLeon CowleJul 14, 2023

@ngrilly @tay @rmondello ... Third party 2FA apps on your phone might fare SLIGHTLY better, especially if, one would hope, they have the security of refusing to auth using FaceID if they detect FaceID has been changed, and then force-ask for your password instead -- which is hopefully different to your iCloud password and therefore won't be so easily compromised if your device pincode is compromised.

Security -- it's ALWAYS a tradeoff between 'secure' and 'convenient’.

Show threadNicolas GrillyJul 14, 2023
@leoncowle @tay @rmondello Yes, he's right! There is still the possibility to use a longer passode, and even an alphanumeric one. But as usual this is security vs convenience.
Show threadtaylor Jul 14, 2023
@ngrilly @leoncowle @rmondello Nope. If you cover your face id sensor and tap the icon to retry a few times it will eventually give you the option to use your pin code. In other apps it asks you to enter the password for that app
Show threadtaylor Jul 14, 2023
@ngrilly @leoncowle @rmondello Also, using the pin code to change the apple id password isn't a. "oh if you have it saved in the password manager", you can bypass needing the old password entirely
Show threadNicolas GrillyJul 14, 2023
@tay @leoncowle @rmondello I didn't know. I just tried and it did exactly as you described. Good to know. Thanks for sharing!
Show threadBruceJul 12, 2023

@rmondello « it's a request I understand »

Which makes it sound like Firefox is *not* on the roadmap at this time. :(

But thanks for the update! Looking forward to more in the future. :)

Show threadSaagar JhaJul 13, 2023
@bgeerdes @rmondello Not to put words in Ricky’s mouth but Apple engineers are well trained to make sure nothing they say sounds like a roadmap
Show threadKhaos TianJul 12, 2023
@rmondello This is awesome!
Show threadMattJul 13, 2023
@rmondello Bummer about firefox, that's the blocker for me going all-in on iCloud Keychain. You're probably not allowed to answer, but is there a specific technical blocker to implementing a firefox extension, or is there just not enough market-share demand relative to Chromium browsers?
Show threadChris ColemanJul 13, 2023
@rmondello wait, existing? How has nobody ever mentioned the existence of this before?
Show threadJonJul 13, 2023
@Chris @rmondello I don't think it works with MacOS before Sonoma - but works with Windows somewhat oddly.
Show threadChris ColemanJul 13, 2023
@scrwd @rmondello I had no idea. This is going to be great.
Show threadFrazell ThomasJul 13, 2023
@rmondello Hopefully they get Firefox support added soon!
Show threadAva Jul 13, 2023
@rmondello Firefox support is truly the only thing I’m missing to move to iCloud for all my password manager needs…
Show threadAllan Strømfeldt ChristensenJul 15, 2023
@rmondello Looking forward to Firefox support.
Show threadTJ ​ Jul 12, 2023
@rmondello right clicking the QR code to set up the TOTP is really slick
Show threadEshu MarneediJul 12, 2023
@rmondello THANK YOU RICKY
Show threadRicky MondelloJul 12, 2023
@EshuMarneedi YOU ARE SO WELCOME
Show threadRodrigo CastroJul 12, 2023
@rmondello Does it also include Passkeys? I've been saving most of mine in iCloud Keychain, but can't use them on Chrome (my main browser).
Show threadRicky MondelloJul 12, 2023
@rodrcastro macOS has an API for web browsers to integrate iCloud Keychain’s passkeys. I am aware that some web browsers are working on this, but I can’t name names. https://twitter.com/rmondello/status/1666839916846669824?s=61&t=FDKErVrua9YpyzKCu5yBNg
Ricky Mondello on Twitter

“🔑🧵 iOS 17, macOS Sonoma, and passkeys (1/n) Password manager apps can now save and sign in with passkeys across the entire OS — all apps and websites — by integrating with the AuthenticationServices framework's updated Credential Provider Extensions! https://t.co/gzvltZSlr5”

Twitter
Show threadRodrigo CastroJul 12, 2023
@rmondello Very much looking forward to this! Thanks Ricky
Show threadErnesto Acosta 🗯️Jul 12, 2023
@rmondello finally!!
Show threadValentine BrieseJul 12, 2023
@rmondello WHAT- this is breaking news to me lol- I’ve been waiting for this, this means I can now use Arc without parting with Safari’s fantastic keychain integration!
Show threadmatt Jul 12, 2023
@rmondello ooooooooooooooooooooooooooh
Show threadMigrated to tenforward.socialJul 12, 2023
@rmondello and 1Password users have been able to do this for a long time. @film_girl
Show threadRicky MondelloJul 12, 2023
@jacobrealo @film_girl That’s absolutely 100% true! Thank you for pointing this out. :P
Show threadChristina WarrenJul 12, 2023
@rmondello @jacobrealo it’s true! But this makes it even easier for those of us who use both either b/c they have different use cases or b/c the built-in nature makes iCloud Passwords sometimes a win!
Show threadSam GrossJul 13, 2023

@film_girl @rmondello @jacobrealo I am very excited to use iCloud password sharing with my partner, 1Password with the family and work, and have it all work.

(1Password, please adopt the system password provider APIs)

Show threadZab RiveraJul 12, 2023
@rmondello ive been thinking about going with the built in solution and this makes it easier - ill try it!
Show threadZab RiveraJul 12, 2023
@rmondello I can’t tell you how many times ive been just wanting people who are close to me to just use a pw manager
Show threadandrewJul 12, 2023
@rmondello well now I HAVE to install the beta on my work laptop (thank you!!)
Show threadtheOmegabitJul 12, 2023
@rmondello still just passwords, yeah? That is, it doesn't support any other type of secret or sensitive info?
Show threadMiguel de Icaza ᯅ🍉Jul 12, 2023
@rmondello this is magnificent- while I remain a Safari-based life form, this is a gift to our less fortunate peers.
Show threadAlex RosenbergJul 12, 2023
@rmondello I _love_ how you have to qualify what is and isn’t public info so NPS doesn’t move to dismiss you before learning it’s public info. #toxicculture
Show threadDavid LynchJul 12, 2023
@rmondello Nice, this is genuinely one of the biggest things that has been stopping me from considering using keychain.
Show threadNick FosterJul 12, 2023
@rmondello @jimmylittle I believe you were talking about this awhile ago? I could be mixing you up with someone else
Show threadbitomuleJul 12, 2023
@rmondello does it work with touch id or just always unlocked?
Show threadMieszko ŚlusarczykJul 12, 2023
@rmondello Finally! Any word on when Edge gets it though?
Show threadkepsteinJul 12, 2023
@rmondello this is a nice, especially for those who have to use Windows and / or their Mac. I really wish though that iCloud Passwords was an entirely separate app, not just a browser extension. I have so many use cases where I was access to my passwords that are not related to a browser. 1Password continues to be the hands-down winner because they basically work everywhere. If iCloud Passwords had its own app it would go a long way to brining me over.
Show threadTyler LochJul 13, 2023
@rmondello I assume that, since the extension relies on a native helper process(?) on macOS/Windows, the extension is not compatible with ChromeOS (Chromebooks etc)?
Show threadPabloJul 13, 2023
@rmondello Common Ricky W