Get started Bring yourself up to speed with our introductory content.

Introduction to iCloud Keychain: Security for password synchronization

ICloud Keychain can supposedly sync passwords across devices without using iCloud. But is it secure? Security expert Michele Chubirka explains.

The iCloud Keychain supposedly syncs passwords across devices but does so without storing the password in the cloud. How does this work, and what are the security implications?

Apple Inc., a leader in usability, has gone one step further with its desktop security by integrating an updated version of its password manager in the latest revision of OS X Mavericks. The iCloud Keychain attempts to synchronize accounts across all of a user's devices. It seems like a great idea: a password manager built into the OS that eliminates the difficulty of managing a third-party application and its data. For the truly paranoid, there's also an option of keeping Keychain data locally, while still updating across devices. But is this too good to be true?

By default, iCloud Keychain, which stores usernames, passwords and credit card numbers, keeps its data in the cloud. This information is secured by the user's iCloud password and an individual security code, which can be a four-digit PIN or a complex passcode. When a new device needs to be authorized to access the Keychain, the second authentication method is required or approval must be given from another authorized device.

According to Apple's documentation, it's also possible to set up the iCloud Keychain to only store account information locally on authorized devices. Supposedly, by avoiding the creation of a security code, the Keychain data won't be synchronized to iCloud, but it also can't be used for recovery.

However, this claim seems inaccurate. It appears that passwords still synchronize across devices, even when an Internet connection is immediately turned off after adding a login to the local keychain. This implies that account data is still going to the cloud, but this shouldn't really be shocking to anyone. Synchronized password management isn't magic. What Apple hasn't made clear is whether the account data is only stored temporarily to facilitate synchronization without permanent storage or if the documentation is blatantly incorrect.

What does this mean for a user's privacy and iCloud Keychain security? According to viaForensics researcher Andrey Belenko, when using iCloud Keychain with a security code, Apple acts as an escrow proxy, which means it gives out passwords to authenticated devices. The iCloud user's keys are protected by a four-digit PIN (default) or a complex password. Obviously, due to the short length of the default PIN, this would make it easier for Apple or another interested party to decrypt the master password and read Keychain records.

As with any password manager, cloud-based or local, the most secure method for protecting user credentials is of critical importance. A one-time password (OTP) -- an automatically generated password for a single login or session -- in addition to another authentication method is always preferred when safeguarding confidential information. With Apple's iCloud Keychain, take its claims of local-only credential storage with a grain of salt. I also recommend refraining from using the default four-digit PIN. While the OS X built-in Keychain system seems to offer ease of use, it also presents some questionable security practices.

Ask the Expert!
Got a vexing problem for Michele Chubirka or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

This was last published in March 2014

Dig Deeper on Two-factor and multifactor authentication strategies