> The problem with iCloud keychain for me is that I don't only use Apple devices
If I ever need to sign into something on a non-Apple OS, I look up the desired iCloud KeyChain-stored password on my iPhone, then manually retype it on the other device.
> Is there a management interface for saved passwords or is it just the plain old Keychain Access utility?
> All this "iCloud Keychain" hype looks like just a sync functionality on top of current implementation.
There's Keychain Access and a preference pane in Safari for web passwords. It is exactly a sync feature added to the keychain implementation that exists in Mountain Lion and earlier.
> I've never explicitly installed Keychain on my iphone and yet it shows as an option next to 1password every time I fill in a password field
It is worth noting that KeyChain was introduced in Mac OS 8.6 in 1999, and has been part of every version of macOS since then, as well as every version of iOS ever. It's basically the user credential subsystem for Apple operating systems.
As I understand it, 1Password came out in 2006.
When I looked at it last, it seemed that 1Password didn't interoperate well with KeyChain and also required a subscription - decisions which I found unappealing.
> Even though Apple (and likely a couple more) will provide their proprietary passwordless system with cloud sync, a lot of people don't want to rely on an iCloud account to be your backup in case you lose your phone.
This is the big one for me. The user story for logging in to a site on Windows with an iOS passkey is to scan a QR code with your phone, which sounds obnoxious.
I'd rather just have 1Password be the private key repository and those keys will sync to Mac/Windows/Phones through it instead of them being locked into iCloud Keychain, and it can handle logins just like normal.
> They are solving the password problem well, but only if you seek out the tool and understand the need for the tool
How about Apple's Keychain? iOS and Mac users get suggested auto-generated passwords that are then automatically saved and synced across devices with no extra installs or options.
> to clarify, if my user set up passkey on their iPhone and that's the only method of authentication for my website, they just wouldn't be able to sign in if they lost that iPhone?
That used to be the case. Since iOS 16 they are also synced via the iCloud Keychain: "Passkeys on iPhone require that you use iCloud Keychain. If you don’t have iCloud Keychain turned on when you try to save a passkey, you’ll be asked to turn it on. Passkeys also require that two-factor authentication is enabled for your Apple ID."
> I've been looking at 1Password but I was turned off by their lack of meaningful 2FA support (Yubikey), and their exposure of data if used in any sort of convenient fashion (I would like access from my phone, which is part of the reason I want Yubikey support).
What exactly are you referring to by that? The 1Password keychain is encrypted using PBKDF2 with a large number of iterations so they're rather resistant to offline attacks, particularly since I'd assume all of your devices have FDE enabled. If you're too paranoid to trust iCloud/Dropbox for the actual file exchange there's also a local WiFi sync option.
I use iCloud Keychain for passwords. It's a trade-off between security and convenience.
Passwords aren't as critical in my opinion, because I can always change them. Sure, it would suck if someone broke into my hosting account or my bank account, but I could probably fix it somehow. I was more thinking about secrets that I don't want people to find out, because there is no way to make people forget something they learned about me that I wanted to hide.
>> Apple has described Passkey as a new kind of credential in the iCloud keychain. The technology is based on the Web Authentication API (WebAuthn), a rapidly emerging standard that uses public key cryptography instead of passwords for authenticating users to websites and applications.
Whatever "based on webauthn" means...Let's hope it's not just a buggy implementation of WebAuthn as they did with OpenID Connect
It's kind of funny- I find myself to be on the critical side when it comes to Apple, especially on HN, but when it comes to iCloud Keychain I use it pretty unquestioning. Probably because I don't trust 1Password or other password managers to be any better, and it's a feature that's baked into the OS so adoption is frictionless.
I use a password manager but, as a mostly-Apple user, I see very little reason not to just use iCloud Keychain: the UX of Apple’s solution is significantly better than all the alternatives because I don’t have to remember yet another password/mfa token to type in every once in a while.
> Passkeys on iPhone require that you use iCloud Keychain. If you don’t have iCloud Keychain turned on when you try to save a passkey, you’ll be asked to turn it on. Passkeys also require that two-factor authentication is enabled for your Apple ID.
Nope, sorry. Enshittification makes this entire concept, as-presented, a non-starter.
I use iCloud Keychain because Apple is not in business of making money off a password manager. They charge me more via their hardware sales scheme but at the end of the day it’s a good experience overall
If I ever need to sign into something on a non-Apple OS, I look up the desired iCloud KeyChain-stored password on my iPhone, then manually retype it on the other device.
I feel that gives me extra security.
reply