Ricky MondelloJul 12, 2023

‼️🔑 macOS Sonoma brings Apple’s password manager to Google Chrome, Microsoft Edge, and other browsers using their extensions stores with the “iCloud Passwords” browser extension.

You can AutoFill passwords and one-time codes, save new passwords, and right-click QR codes to set up code generators.

If you’re running the macOS Sonoma public or developer beta, you can try it right now!

Chrome: https://chrome.google.com/webstore/detail/icloud-passwords/pejdijmoenmkgeppbflobdenhhabjlaj
Edge: Coming soon.

[*] I am not breaking news here; this is public information.

iCloud-Passwörter

Verwende mit „iCloud-Passwörter“ bei der Anmeldung auf Websites in Chrome Passwörter aus dem iCloud-Schlüsselbund.

Show threadRicky MondelloJul 12, 2023

How this works: the existing “iCloud Passwords” browser extension that Apple ships for Chrome and Edge in conjunction with iCloud for Windows works out of the box on macOS Sonoma.

We don’t have support for Mozilla Firefox at this time, but it’s a request I understand.

Show threadLeon CowleJul 12, 2023

@rmondello Passkeys. MFA codes. Password sharing. Chrome support. The Apple password team is knocking it out the park!

I think it’s time for me to review my use of a paid-for 3rd party password manager!

Show threadtaylor 
@leoncowle @rmondello imho, i still would use a third party password manager, ios has a 1 factor security model to unlock almost everything (not including physical possession )
Jul 13, 2023 at 7:30amWeb
Show threadNicolas GrillyJul 14, 2023
@tay @leoncowle @rmondello I think it is still two factors: something you have (your device), and something you are (your face or fingerprint) or you know (your passcode).
Show threadtaylor Jul 14, 2023

@ngrilly @leoncowle @rmondello I think my main problem is how much trust is put into the pincode on the device. With a pin code you can access: the phone and its data, all passkeys, saved paswords &2FA, change the Apple ID password & change 2FA.

Of course, users should keep their pin safe, but it's common for people to ask someone they know to read a text while they have their hands busy, or, you can look over someone's shoulder and read their 4/6 digit pin.

Show threadNicolas GrillyJul 14, 2023
@tay @leoncowle @rmondello I just tested again on my iPhone and my earlier comment was incorrect. I can't use the passcode to login with a passkey. I have to use FaceID. And I have to confirm the login using FaceID even if my phone is already unlocked. So there is no way someone using your phone can use that to connect to another site or app. That stuff has been really really well thought out.
Show threadLeon CowleJul 14, 2023

@ngrilly @tay @rmondello I believe you're both correct. It IS well thought through (very!), but at the same time, is secured by only your phone's pincode ultimately -- which, if compromised (shoulder surfed, e.g.) can be used to change your AppleID/icloud password and then your FaceID scan, etc. So let's call it a 1.5 Factor 😉

As for 3rd party MFA apps, ... <cont>…

Show threadLeon CowleJul 14, 2023

@ngrilly @tay @rmondello ... Third party 2FA apps on your phone might fare SLIGHTLY better, especially if, one would hope, they have the security of refusing to auth using FaceID if they detect FaceID has been changed, and then force-ask for your password instead -- which is hopefully different to your iCloud password and therefore won't be so easily compromised if your device pincode is compromised.

Security -- it's ALWAYS a tradeoff between 'secure' and 'convenient’.

Show threadNicolas GrillyJul 14, 2023
@leoncowle @tay @rmondello Yes, he's right! There is still the possibility to use a longer passode, and even an alphanumeric one. But as usual this is security vs convenience.
Show threadtaylor Jul 14, 2023
@ngrilly @leoncowle @rmondello Nope. If you cover your face id sensor and tap the icon to retry a few times it will eventually give you the option to use your pin code. In other apps it asks you to enter the password for that app
Show threadtaylor Jul 14, 2023
@ngrilly @leoncowle @rmondello Also, using the pin code to change the apple id password isn't a. "oh if you have it saved in the password manager", you can bypass needing the old password entirely
Show threadNicolas GrillyJul 14, 2023
@tay @leoncowle @rmondello I didn't know. I just tried and it did exactly as you described. Good to know. Thanks for sharing!