Essential Guide

Formulating and managing online identity and access control

A comprehensive collection of articles, videos and more, hand-picked by our editors
Q

Introduction to iCloud Keychain: Security for password synchronization

ICloud Keychain can supposedly sync passwords across devices without using iCloud. But is it secure? Security expert Michele Chubirka explains.

The iCloud Keychain supposedly syncs passwords across devices but does so without storing the password in the cloud. How does this work, and what are the security implications?

Ask the Expert

Got a vexing problem for Michele Chubirka or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Apple Inc., a leader in usability, has gone one step further with its desktop security by integrating an updated version of its password manager in the latest revision of OS X Mavericks. The iCloud Keychain attempts to synchronize accounts across all of a user's devices. It seems like a great idea: a password manager built into the OS that eliminates the difficulty of managing a third-party application and its data. For the truly paranoid, there's also an option of keeping Keychain data locally, while still updating across devices. But is this too good to be true?

By default, iCloud Keychain, which stores usernames, passwords and credit card numbers, keeps its data in the cloud. This information is secured by the user's iCloud password and an individual security code, which can be a four-digit PIN or a complex passcode. When a new device needs to be authorized to access the Keychain, the second authentication method is required or approval must be given from another authorized device.

According to Apple's documentation, it's also possible to set up the iCloud Keychain to only store account information locally on authorized devices. Supposedly, by avoiding the creation of a security code, the Keychain data won't be synchronized to iCloud, but it also can't be used for recovery.

However, this claim seems inaccurate. It appears that passwords still synchronize across devices, even when an Internet connection is immediately turned off after adding a login to the local keychain. This implies that account data is still going to the cloud, but this shouldn't really be shocking to anyone. Synchronized password management isn't magic. What Apple hasn't made clear is whether the account data is only stored temporarily to facilitate synchronization without permanent storage or if the documentation is blatantly incorrect.

What does this mean for a user's privacy and iCloud Keychain security? According to viaForensics researcher Andrey Belenko, when using iCloud Keychain with a security code, Apple acts as an escrow proxy, which means it gives out passwords to authenticated devices. The iCloud user's keys are protected by a four-digit PIN (default) or a complex password. Obviously, due to the short length of the default PIN, this would make it easier for Apple or another interested party to decrypt the master password and read Keychain records.

As with any password manager, cloud-based or local, the most secure method for protecting user credentials is of critical importance. A one-time password (OTP) -- an automatically generated password for a single login or session -- in addition to another authentication method is always preferred when safeguarding confidential information. With Apple's iCloud Keychain, take its claims of local-only credential storage with a grain of salt. I also recommend refraining from using the default four-digit PIN. While the OS X built-in Keychain system seems to offer ease of use, it also presents some questionable security practices.

This was first published in March 2014

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Essential Guide

Formulating and managing online identity and access control

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close