Apple has been dedicated to password security on its mobile systems for some time. With iOS 11, Apple introduced its own password manager in iOS and integrated it into the QuickType keyboard. Since then he has been helping to enter user names and passwords on websites or in apps.

For this purpose, the iOS keyboard tries to recognize whether the user is asked for his user name / password and offers this as a QuickType. If no password is available, but such a field is identified, the user can access all user names and passwords in his password manager and select the appropriate combination.

Since iOS 12, third-party apps such as 1Password can also be registered as a password safe – these can then be selected from the corresponding dialogs. Websites and apps enter into a relationship of trust so that the passwords are automatically suggested as a fill-in aid. This is achieved by linking the app and website. For this purpose, the developer stores the respective domain in the project settings in xCode (Associated Domains). The website stored here still needs a special JSON file (“apple-app-site-association”) which in

must be deposited. This JSON file then also contains a reference to the released app, namely:

This “apple-app-site-association” file corresponds to the JSON file known since iOS 8 for the exchange of passwords between apps and websites (via Safari). With iOS 13, all associated domain configurations can also be set via MDM:

Website trust for the app – storing a JSON file (“apple-app-site-association”, website must comply with ATS (App Transport Security))

However, after some users no longer use the suggested function for secure passwords, Apple now extends the Password Manager with iOS 14: Users are now automatically informed if their self-assigned password has been compromised (over time), i.e. via a data leak fell into the wrong hands and your account has become unsafe. The system also notifies users of weak passwords such as 1234.

According to Apple, if a password became publicly visible in the event of such a data leak, all accounts that use the password are at risk. The data leak does not automatically mean that the user’s user account has appeared there. According to statements from the WWDC session from Apple, it is enough that the password itself could be included in the password databases of the “bad guys”. If this is the case, the user is informed of this by a push message and a password manager dialog. However, the message is a bit cryptic – a little more transparency would be desirable here so that the user does not immediately panic.

In order to be able to check whether passwords have been compromised, Apple uses various techniques. However, Apple expressly emphasizes that the group does not get any insight into the passwords themselves. Rather, cryptographic techniques (hash functions) would be used to convert a user password into a non-traceable state. However, details of the procedure are not known.

If Apple informs the user that their password has been compromised, they can ideally click directly on an affected website in the Password Manager to reset the password for the respective service. This is offered if the website has such a function https: ///.well-known/change-password offers. However, for many users, this process is opaque, cumbersome, or scary.

Apple offers yet another option with iOS 14: App developers can now connect to the Password Manager via an adjustment in their app (a so-called extension). If an associated app (for the reported account) offers such an extension, the user can also change his password by pressing a button. In this case, the password manager itself sets a secure password for the user.

With “Sign in with Apple”, Apple has been offering a special button since iOS 13 with which a user can log in to an application or a website in the same way as his Google, Twitter or Facebook account. In other words, users can use their Apple ID to log in to any compatible service.

However, Apple goes one step further when it comes to registration: the user has the choice of using his email address or a randomly created email account. According to Apple, it is guaranteed that all emails are “redirected” accordingly and that the provider never finds the real address.

A separate random address should be generated for each service. This is only known to Apple itself, since Apple essentially acts as an intermediary between the service and the user. However, Apple promises to protect the user’s privacy and not to use the data for its own profiling. In general, no user activity would be logged in applications or on websites. In addition, all accounts are also protected by two-factor authentication. Web registration not only works on Apple systems, but also on Windows and Android.

With iOS 14, Apple extends the service by additional options. So users can now convert an account that has not (yet) been created with “Sign in with Apple”. Apple offers developers the opportunity to expand their apps accordingly (also by extension). The conversion of an account to Apple’s login service “Sign in with Apple” is also possible in the Password Manager. (mb / fm)