iCloud Keychain on iPhone and Mac: how to set up and use

Advanced users of Apple devices are familiar with the iCloud Keychain feature (there are other Keychains, for example, Sign in, System, etc., available on Mac), which greatly simplifies the work with passwords and other personal data on devices running iOS and macOS. In this material we will talk in detail about the process of setting up the service, and also answer frequently asked questions.

What is iCloud Keychain and why is it needed?

Keychain Access is a password manager for iPhone, iPod Touch, iPad, and Mac computers that stores Safari login credentials, payment card information, and Wi-Fi network information from all approved iOS devices. 7.0.3, OS X Mavericks 10.9 and newer releases of Apple OS.

Additionally, iCloud Keychain for Mac also stores account information used in standard apps such as Calendar, Contacts, Mail, and Messages. When a user logs into a social network or opens a website on which he is registered, the service automatically adds account data to all associated devices.

The Keychain feature is a very convenient tool for owners of multiple Apple devices.

ON TOPIC: How to set up the Clipboard (transfer text and photos) from Mac to iOS and vice versa.

iCloud 101

In fact, iCloud is not just one service; it is a general marketing name for a number of cloud services from Apple. This includes synchronizing settings, documents and photos, Find My Phone for finding lost or stolen devices, iCloud Backup for cloud backup, and now iCloud Keychain for securely synchronizing passwords and credit card numbers between iOS and OS X devices .

Each iCloud service is located on its own third-level domain, such as pXX-keyvalueservice.icloud.com, where XX is the number of the group of servers responsible for processing the current user's requests; This number may be different for different Apple IDs; newer accounts usually have a higher value for this counter.

Does Keychain Access work in all countries?

Yes. Keychain Access can be set up and used in any country on any compatible device. However, in some countries the service does not work without the ability to use the “iCloud Security Code” (more details below).

For example, when setting up Keychain Access in Russia, the user can (if necessary) protect personal data using the iCloud Security Code (setup via SMS), thereby saving all service data on Apple servers (read more about this below) .

Note: If you use two-factor authentication, the device is trusted when you sign in—i.e. No iCloud Security Code is required.

To check if two-factor authentication is enabled on your device:

On your iPhone or iPad, open the Settings app and go to Apple ID [username] -> Password & Security.

On a Mac, go to System Preferences → iCloud → Account → Security.

ON TOPIC: How to listen to Apple Music with an eternal discount: 2 ways you might not know about.

What does the verification code mean for an Apple cell phone?

To use the iTunes Store, App Store, and iCloud cloud storage, the user must have an Apple ID. This is an account through which the client can use the services of the manufacturer.

Now we need to talk in more detail about two-step verification, which includes receiving and entering an additional access code. The company has developed an additional measure to protect your profile from attackers. Even if another person knows the parameters for authorization in the system, he will not be able to log in. To access your account, you will need to know the password required for authorization.

It turns out that two-step verification is necessary in order to protect the smartphone from unauthorized access. This will secure private messages in iMessage and FaceTime. Also, the attacker will not be able to view payment document data, make in-app purchases, or use iCloud. It is especially important to protect cloud storage, since it contains all the user’s personal settings. When gaining access to the Cloud, you can block the gadget through lost mode. After this, a third party can demand a reward for unlocking the device.

How to set up iCloud Keychain on Mac, iPhone or iPad?

On iPhone or iPad:

After installing a mobile operating system update, Setup Assistant prompts you to set up iCloud Keychain. If you haven’t done this right away, don’t worry, you can set up the function at any time convenient for you. For this:

On iOS 10.3 and higher, open the Settings app, select your name (at the very top) and enter the iCloud section (on devices running an earlier version of iOS, this section is located along the path: Settings → iCloud).

Go to the “Keychain” section.

Turn on the switch for iCloud Keychain. Enter your Apple ID password and follow the on-screen instructions.

On Mac computers:

Open the Apple menu (), select System Preferences.
Select the iCloud section and turn on the “iCloud Keychain” switch, after which you should enter your Apple ID and password and follow the instructions that appear.

ON TOPIC: How to transfer a Wi-Fi password to someone else’s iPhone or iPad “in one tap” without revealing it.

Where to enter code numbers on iPhone

Once the user has been able to find out the verification code for the Apple ID, they should figure out where to enter these values. If two-step verification is activated on your smartphone, then the procedure is performed according to the following instructions:

First you will need to log into your account on your computer or phone;
Next, the user specifies the parameters for authorization in the account;
when the transition to the second page is complete, you should select the “Didn’t receive the verification code?” button there;
the system must forward the digital value to a trusted number or device;
you should view the display of the second gadget or open the received message;
the code value data should be copied or memorized;
Now the user can return to the page where they need to enter a verification code to access their profile;
the required parameters are entered into the empty window;
the site will begin checking the data, and after 2-3 seconds access to the user account will be granted.

This feature can cause problems because login information is not always sent to a trusted device. There are also situations when the additional telephone fails. In this case, the client must know how to solve the problem with authorization in the account.

Adding additional devices

If you want to add additional devices, iCloud Keychain must be enabled on each of them. When activating a feature on a new device, each device where it is configured will receive a confirmation request.

For example, when you turn on Keychain on an iPhone , a message like this will appear on a Mac using the same Apple ID (iCloud) account:

Click “Continue,” which will open iCloud settings, where you must enter your Apple ID password, thereby allowing the device to use Keychain Access.

The reverse procedure is to enable Keychain Access on the Mac and a notification will be sent to the iPhone.

Once confirmed, the information on the new gadget will be updated automatically if the device is online.

Note: When two-factor authentication is enabled, Keychain is enabled without receiving confirmation from the other device.

To check if two-factor authentication is enabled on your device:

On your iPhone or iPad, open the Settings app and go to Apple ID [username] → Password & Security.
On a Mac, go to System Preferences → iCloud → Account → Security.

ON TOPIC: How to enable magnifying glass mode on iPhone.

Other levels of verification

If your verification requires security questions, email, or two-step verification, the settings are slightly different.

Did you like the article? Subscribe to our Telegram channel. News comes out faster there!

For phone and tablet

Repeat the same steps to activate the feature.
Enter your ID and follow the instructions.

For PC

Go to system settings and find iCloud.
Introduce yourself and follow the instructions.

To add more devices, you need to configure this feature on each of them. It is important to always use the same account information. You can also add your credit card information and enable autofill.

How to export macOS Keychain?

On your computer, you need to access the program, go to the “File” - “Export Objects” section. Next, you need to select a location to save the information and click the “Save” button.

Security code when setting up Keychain. What it is?

Note: If you use two-factor authentication, the iCloud Security Code is not required.

A security code is a set of six numbers or a combination of numbers and letters that is used to identify you and access other iCloud Keychain features. For example, if you have lost your device, you can use the code to restore the data stored in it. When using the iCloud Security Code, all service data is stored on Apple servers. To receive a security code, you must receive an SMS to a phone number registered in a country where Keychain is officially supported.

Accordingly, if you do not use the iCloud Security Code, then data from Keychain is stored and synchronized only between approved devices.

On iOS:

On Mac:

Again, a Security Code allows you to activate iCloud Keychain without requiring approval from other devices, but two-factor authentication must be enabled to do so. Simply turn on the Keychain switch as described above and enter the password and security code that automatically appears on trusted gadgets.

ON TOPIC: How to set a 4-character password on your iPhone or iPad.

Recovering Escrow Data

To receive the deposited data, the following protocol is executed:

The client requests a list of deposited records (/get_records).

The client requests an associated telephone number to which the server will send a confirmation code (/get_sms_targets).

The client initiates the generation and delivery of a confirmation code (/generate_sms_challenge).

After the user has entered the iCSC and verification code from SMS, the client initiates an authentication attempt using the SRP-6a protocol (/srp_init).

After receiving a response from the server, the client performs the calculations prescribed by the SRP-6a protocol and requests the escrow data (/recover).

If the client has successfully authenticated, the server returns the deposited data, having previously encrypted it with a key generated during the operation of the SRP-6a protocol (if the protocol worked successfully, then both the server and the client calculated this shared key).

It is important to note that the phone number obtained in step 2 is used solely for user interface purposes, that is, to show the user the number to which the verification code will be sent, and in step 3, the client does not transmit to the server the number to which the verification code should be sent.

How to view passwords for websites in iCloud Keychain on iPhone or iPad

When iCloud Keychain is activated, Apple's AutoFill feature automatically enters user login credentials into the appropriate fields on websites or apps. However, some sites do not allow automatic data entry. In such cases, you need to copy and paste your username and password manually. This is done as follows:

1. Open the Settings application;

2. Select “Accounts and Passwords”;

3. Select “Passwords for programs and sites” and, if necessary, verify the user using Touch ID or Face ID;

4. Select the appropriate entry from the list or use the search field at the top of the Passwords screen to enter the name of the application or website for which you want to enter credentials;

5. Touch and hold the username/password option, and then select “Copy” from the pop-up window;

6. Open the appropriate application or web page, long-press the username and password input field, and then select the “Paste” option.

7. You can remove your credentials by using the Edit option in the top right corner of the Passwords screen. In addition, this option can be used to change the credentials for the relevant websites.

ON TOPIC: How to set a password of 4 characters (digits) instead of 6 on your iPhone or iPad.

Apple official website

To restore access to iCloud, a user who has forgotten his account password will need:

Go to apple.com and left-click on the tablet icon in the upper right corner of the browser window.

Select “Login” from the list that opens.

Find on the new page the already familiar link “Forgot your Apple ID or password?” and click on it.

As you might guess, as a result the iPhone owner will end up on the password recovery page; he can read what to do next in the first section of our material.

How to view logins and passwords for sites in iCloud Keychain on Mac

1. Launch the Safari browser.

2. Open the program settings (Safari → Settings).

3. Go to the Passwords tab.

4. Enter the Administrator password.

5. Select the required site (you can use the search). Opposite will be the login (Username) and password.

ON TOPIC: Erasing data on iPhone after 10 incorrect password attempts: how it really works.

Product history

Initially, a similar mechanism was used in the PowerTalk application, which was an email client from Apple. The application was created back in the early 90s, and Keychain helped control all user data from the various email services that PowerTalk could connect to.

Due to the use of encryption, passwords were difficult to remember and recover. Therefore, a mechanism was needed that would allow the user to enter only one password (the master password), which would allow access to all mail services (each of which has its own login data and passwords).

This idea, despite its obviousness and usefulness, practically died the moment Apple decided to stop supporting PowerTalk. But with the return of Steve Jobs, this function returned to Mac computers and worked not only in one program, but also in the entire system.

Adding personal information and bank card details on iPhone and iPad

You can add personal information and bank card details to iCloud Keychain at any time using your iPhone or iPad, after which they will be available on all of the user's devices. To do this you need to do the following:

1. Open the Settings application;

2. Select the Safari section;

3. Select "Autofill";

4. To add personal information, select “My Details” and select your contact from the list. To add card information, tap Saved Credit Cards and then select Add Credit Card.

RELATED: How to disable the password every time you boot your Mac.

How to log into iCloud without an iPhone

Let's consider the first, most popular method. To do this, we will need to download the iCloud program for your computer from the official website. During installation, the installer will automatically ask you what data needs to be synchronized with your computer. By default, it is recommended to check all data types, even if you do not use them. After all, in any case, you will have access to a special explorer through which you can share resources, download data and upload them back to the storage so that you can then access them on your iPhone.

The second method is intended strictly for Mac books and Mac OS. Books based on them have built-in support for iCloud, thanks to which you can log in through Explorer to the account you use on the iPhone and have all the above privileges, as on regular Windows with special software. You can also reserve storage data by creating a backup, or delete unnecessary data to increase free space. You can view absolutely any type of information and download it to your computer via the Internet without an iPhone.

Can Apple tech support restore the iCloud security code for Keychain?

Try to remember the code well or write it down in a safe place, because if you forget it, Apple technical support will not be able to help you recover the code . In addition, you must remember that the number of incorrect attempts to enter the code is limited, and after exceeding the limit, access to iCloud Keychain will be blocked. In this case, you need to contact Apple technical support and after successful identification, the user will be given additional attempts to enter the code. If in this case the wrong combination is specified, Apple will permanently erase iCloud Keychain from its servers (of course, all personal data will be lost).

ON TOPIC: Backup in iCloud, synchronization with iCloud and iCloud Drive, what is the difference?

Contact Apple Support

If you don’t want to act on your own, but need to restore access to your iCloud account, the owner of Apple equipment can contact support:

Go to apple.com and click on the “Support” button.

On the page that opens, find the “Contact support” link and click on it.

Next, click on the Apple ID button.

Select the problem “I don’t remember my Apple ID password” in the new window.

If the user can communicate right now, click on the “Talk to Apple Support” checkbox.

And in a new window, enter your account information and cell number by which the consultant can contact the client.

As a rule, a specialist calls within five to ten minutes after completing the application. You may have to wait up to half an hour; If after this time there is no incoming call, you should make the request again - or try one of the previously described options.

Advice: if you don’t feel like talking right now or it’s not possible, you should schedule a call by clicking on the adjacent space and selecting the appropriate day and time.

Is it possible to set up Keychain Access without a security code (without an SMS-enabled phone number)?

Can. Setting a security code when setting up the function is completely optional. But in this case, your data will not be stored on the server, but on the devices themselves. This approach assumes greater user control over their data, but it has a significant drawback - Apple will not be able to assist in restoring the iCloud Keychain.

If your country doesn't have the option to set up iCloud Keychain via SMS, don't worry, you can still enable the feature. To do this, when setting up (instructions for setting up above) the service on iOS devices, do not select the “Verify with code” option in the “Add-ons” menu:

On Mac computers, go to Advanced Options and select Don't generate a security code.

We repeat that in this case, “iCloud Keychain” will be stored only on the device, and not on the Apple server, and updated only on approved gadgets. Complete the setup by following the instructions that appear on the screen.

ON TOPIC: How to visually identify each iPhone model?

Secure Remote Password

In step 4, the client begins executing the SRP-6a protocol. The SRP (Secure Remote Password) protocol is a password authentication protocol that is protected from eavesdropping and man-in-the-middle attacks. Thus, for example, when using this protocol, it is impossible to intercept a password hash and then try to recover it, simply because no hash is transmitted.

Apple uses the most advanced version of the protocol, SRP-6a. This option instructs to close the connection if authentication fails. Additionally, Apple only allows ten failed authentication attempts for a given service, after which all subsequent attempts are blocked.

A detailed description of the SRP protocol and its mathematical foundations is beyond the scope of this article, but for completeness, a private version used by the com.apple.Dataclass.KeychainSync service is presented below.

The hash function H is SHA-256, and the group (N, g) is the 2048-bit group from RFC 5054 “Using the Secure Remote Password (SRP) Protocol for TLS Authentication.” The protocol runs as follows:

The device generates a random value a, calculates A=g^a mod N, where N and g are the 2048-bit group parameters from RFC 5054, and sends a message to the server containing the user ID, the calculated value of A, and the confirmation code from the SMS. The user identifier is DsID, a unique numeric user identifier.
Upon receiving the message, the server generates a random value b and calculates B=k*v + g^b mod N, where k is the multiplier defined in SRP-6a as k=H(N, g), v=g^H(Salt, iCSC) mod N is a password verifier stored on the server (analogous to a password hash), Salt is a random salt generated when creating an account. The server sends a message to the client containing B and Salt.
Through simple mathematical transformations, the client and server calculate a common session key K. This completes the first part of the protocol - key generation - and now the client and server must ensure that they have received the same value for K.
The client calculates M=H(H(N) XOR H(g) | H(ID) | Salt | A | B | K), a proof that it knows K, and sends M and the confirmation code from the SMS to the server. The server also calculates M and compares the value received from the client and the calculated value; if they do not match, the server stops executing the protocol and breaks the connection.
The server proves knowledge of K to the client by computing and sending H(A, M, K). Now both participants in the protocol have not only developed a common key, but also made sure that this key is the same for both participants. In the case of the escrow service, the server also returns a random IV and an escrow record encrypted with a shared key K using AES in CBC mode.

Using SRP for additional protection of user data, in my opinion, significantly improves the security of the system from external attacks, if only because it allows you to effectively resist brute force attempts at iCSC: you can try only one password per connection to the service. After several unsuccessful attempts, the account (as part of working with the escrow service) is transferred to the soft lock state and temporarily blocked, and after ten unsuccessful attempts, the account is permanently blocked and further work with the escrow service is possible only after resetting the iCSC for the account.

At the same time, the use of SRP does not protect against internal threats in any way. The deposited password is stored on Apple's servers, so it can be assumed that Apple can access it if necessary. In this case, if the password was not protected (e.g., encrypted) prior to escrow, it could result in a complete compromise of the Keychain records stored in iCloud, since the escrow password would allow the encryption keys to be decrypted, which would decrypt the Keychain records (note com. apple.Dataclass.KeyValue).

However, in the "iOS Security" document, Apple claims that specialized hardware security modules (Hardware Security Modules (HSM)) are used to store escrowed records and that access to escrowed data is impossible.

Escrow Security

iCloud provides a secure infrastructure for Keychain escrow, ensuring that Keychain can only be recovered by authorized users and devices. HSM clusters protect escrow records. Each cluster has its own encryption key used to protect records.

To recover Keychain, the user must authenticate using the iCloud username and password and respond to the sent SMS. Once this is completed, the user must enter the iCloud Security Code (iCSC). The HSM cluster verifies the correctness of the iCSC using the SRP protocol; however, iCSC is not transmitted to Apple servers. Each node in the cluster, independently of the others, checks to see if the user has exceeded the maximum number of attempts to retrieve data. If the check is successful on most nodes, the cluster decrypts the escrow record and returns it to the user.

The device then uses iCSC to decrypt the escrow record and obtain the password used to encrypt the Keychain records. Using this password, the Keychain obtained from the Key/Value storage is decrypted and restored to the device. Only ten attempts are allowed to authenticate and retrieve deposited data. After several unsuccessful attempts, the entry is locked and the user must contact support to unblock it. After the tenth unsuccessful attempt, the HSM cluster destroys the escrowed record. This provides protection against brute force attacks aimed at obtaining a record.

Unfortunately, it is not possible to verify whether HSMs are actually used. If this is indeed the case and HSMs do not allow the data stored in them to be read, then it can be argued that iCloud Keychain data is also protected from internal threats. But, I repeat, unfortunately, it is impossible to prove or disprove the use of HSMs and the inability to read data from them.

There remains one more way to protect data from an insider threat - protecting the escrowed data on the device before transferring it to Apple servers. From Apple’s description it follows (and the reversal confirms this) that such protection is applied - the deposited password is pre-encrypted using iCSC. Obviously, in this case, the level of security (from insider threat) directly depends on the complexity of the iCSC and the default four-character iCSC does not provide sufficient protection.

So, we have figured out how the individual elements of the system work, and now it’s time to look at the system as a whole.

How to turn off Keychain on iPhone, iPad or Mac and what happens after it turns off?

When you disable the function (in the iCloud section on iOS and macOS), two options will appear on the device screen - save or erase the information stored in it. If you choose not to delete your data, it will still remain in iCloud Keychain, but it won't update if you make changes to it on other devices.

If you turn off Keychain Access without saving data on all devices, you can only restore data if you used a Security Code.

ON TOPIC: How to clear memory on iPhone or iPad: 40 ways.

Setting up security for iPhone on iOS8

This guide covers iOS 8 features for iPhone 4S/5/5c/5s/6 and 6 Plus.

Security features help protect information on iPhone from unauthorized persons.

Using a password to protect data

For added security, you can set a password that you must enter every time you turn on your iPhone or wake it from sleep mode.

Setting a password. Go to Settings > Touch ID & Passcode (iPhone models with Touch ID) or Settings > Passcode (other models) and enter the 4-digit code.

Setting a password turns on Data Security mode, where the password serves as the key for 256-bit AES encryption of email messages and attachments stored on iPhone. (Other programs may also use data protection.)

Increased security level. Turn off the Simple Password option and use a longer password. Use the keyboard to enter a password consisting of letters and numbers. If you prefer to unlock your iPhone using the numeric keypad, you can set a passcode that consists of numbers only.

Add fingerprints and configure Touch ID sensor settings . (On iPhone models with Touch ID) Go to Settings > Touch ID & Passcode. See Touch ID sensor below.

Allow access to functions on a locked iPhone. Go to Settings > Touch ID & Passcode (iPhone models with Touch ID) or Settings > Passcode (other models). The following functions are available:

"Today" tab;
“Notification Type” tab;
Siri feature (if enabled, see Siri Settings)
Passbook (see Chapter 26, Passbook)
“Reply with message” function (see Receiving calls)

Allow access to Control Center on a locked iPhone. Go to Settings > Control Center. See Control Center.

Delete data after ten unsuccessful password attempts. Go to Settings > Touch ID & Passcode (iPhone models with Touch ID) or Settings > Passcode (other models), then tap Erase Data. After ten unsuccessful password attempts, all your settings will be reset and all information and media content will be erased by removing the data encryption key.

What specific credit card information is stored in Keychain Access?

So, we already know that iCloud Keychain stores passwords and logins for authorization on websites, wireless networks and other accounts, as well as bank card data. What payment information does the function store? When making online payments, fields with the card number and expiration date are automatically filled in. PIN codes are not saved or filled in.

ON TOPIC: How to properly hold your iPhone when shooting video.

What to do if it is impossible to obtain a digital code

If a customer previously installed two-step verification on his smartphone, but he cannot receive the access code, he should find out what to do in such a situation. The easiest way is to disable the additional security measure. To do this, you need to use the following instructions:

First, a browser is opened on the computer;
then enter the link https://appleid.apple.com into the address bar;
after that, you should log into your account and find the “Security” item;
in this section there will be a “Two-step verification” button;
next to it is the “Change” button;
when the client clicks on the item, he will be able to select the "Disable" key.

Next, you should check the security question data and date of birth so that later there are no problems with authorization in your account.

The verification code allows you to protect your cell phone from unauthorized entry. The user does not have to worry about payment documents and personal information.

How to delete Keychain Data from Apple servers

On iOS devices

Launch the Settings app and go to the iCloud section.
Since the Keychain was protected by a Security Code, go to “Keychain” → “Advanced”, turn off the “Verify with Security Code” option.
Disable Keychain Access on all synced devices.

On Mac computers

Open System Preferences, select the iCloud section, and then click on Account.
Uncheck the "Allow verification with security code" option and deactivate iCloud Keychain on all synced devices.

When you do all of the above, the data will still remain in iCloud Keychain, but only locally, on devices (if you select the appropriate option “Keep on iPhone” or “Keep on this Mac”), and not on servers. As a result, changes to your credentials will no longer be saved in Keychain Access.

Recovering iCloud password via email

The easiest way to recover your iCloud password is to send a reset code by email. This is done like this:

We connect the iPhone to the Internet.
Go to the iCloud settings menu. You must click on “Forgot your password?”.

Enter Apple >

The required code will be sent not only to the main email, but also to the backup email if you have added it. If you don't receive the message, open your Spam folder. To be sure, you can add apple.com to your address book by email. The password will be reset after clicking on the link in the message. You'll be prompted to enter a new security key for iCloud.

Reviews

Opinions about this feature vary. Despite the fact that password managers have been around for decades, many users still succumb to their paranoid ideas and do not want to synchronize data with the cloud.

During the existence of this option, there were no mass leaks or losses of information, which means the system can be trusted.

Users constantly complain about problems with re-syncing and setting up Keychain Access. It is almost impossible to solve these problems without the help of a service center. The function simply does not work, people are forced to call the company's technical support department and confirm their identity (answer secret verification questions).

There were many users who said that thanks to iCloud Keychain they were able to completely abandon other password managers and made their life much easier. Moreover, people trust Apple much more than other companies.