iOS 15, iPadOS, and macOS Monterey, which will be available to the public this fall, have a slew of new features. Apple showcased a lot of these in the WWDC’21 keynote. But a lot of great ones didn’t make the cut into the keynote where Apple introduces major changes.
Case in point: the built-in Authenticator coming to iOS 15, iPadOS 15, and macOS 12 (Monterey). If you have ever used a separate authenticator app, you know how important they are in countering the security risks related to passwords we face on the internet – At least as long as the industry doesn’t go completely password-free, which will take few years to say the least.
But using a third-party authenticator app can be cumbersome. A built-in authenticator from Apple that works with iCloud Keychain will make the process faster.
Why Use an Authenticator?
Everyone, no matter how tech-savvy, knows usernames and passwords at this point and how to use them. Passwords are easy to use and set up. But they are also notoriously difficult to use correctly. That’s right!
People often misuse passwords: reusing them on multiple websites or using passwords that are quite easy to guess (123456789 is a rather common password). Factor in 2 Factor-Authentication. Websites and apps that use 2FA offer increased protection to their users than websites that only have passwords.
But chances are, most of you use OTP for that added protection. While it certainly is a step up from using passwords alone, One-Time Passwords delivered over SMS aren’t that great an alternative. They’re just a little higher than passwords on the security spectrum, that’s all.
OTPs are just as prone to phishing attacks as Passwords. An OTP can be easily compromised with an attack like SIM-swapping or snooping on carriers.
Time-based One-Time Passwords (or TOTPs) are far-superior options.
TOTPs are time-sensitive and never reused. Also, the process happens completely on your device and has nothing to do with your carrier or SIM. There is no communication involved with the website, hence, making it a lot safer. Authenticators are the apps that generate these TOTPs for a secure login.
What is Apple’s Built-In Authenticator?
Generally, we use third-party apps like Authenticators from Google or Microsoft, or Authy to generate these TOTPs for multi-step login. With iOS 15, iPadOS 15, and macOS Monterey, Apple will be launching its own Authenticator that’ll eliminate the need to use a third-party app.
The Authenticator will be a part of iCloud Keychain, just like the Password Manager. You’ll be able to find it under ‘Passwords’ in Settings on all three devices and also in Safari and Microsoft Edge (via extension) on Windows 10.
Authenticators are generally more complicated to set up. With iCloud Keychain TOTPs, Apple promises to deliver a process that’s easier to set up.
It’ll also eliminate the need to open the Authenticator app separately to look up the code and enter it on the website or app. iCloud Keychain will automatically fill in your TOTPs on the website, just as it does with passwords currently, or like OTPs lately. (Don’t we all just love that Apple recently introduced Autofill for OTPs received over SMS?)
Your verification codes will also be synced across all your devices, and iCloud Keychain will also back them up. They’ll also be end-to-end encrypted, just like your passwords.
You’ll be able to generate codes for any website that offers two-factor authentication.
Note: This is a beta feature and won’t be available generally until the public release of iOS 15 or macOS 12 later in fall 2021.
How to Set Up the Built-In Authenticator for a Website on iPhone
If a website offers Two-Factor authentication with TOTP, you can easily set it up on a device running iOS 15. Open the Settings on your iPhone and go to ‘Passwords’.
Opening ‘Passwords’ settings will require your Face ID, Touch ID, or Passcode to authenticate. Once in, you’ll see the list of all websites that you have stored with iCloud Keychain. Tap a website to open it.
If the website isn’t saved in Passwords, tap the ‘+’ icon in the top-right corner to save it with iCloud Keychain. Then, open it.
Then, tap ‘Set Up Verification Code’ from the options.
There are two ways to set up a verification code depending on the website you’re currently setting up for. You can either enter the Setup Key or scan a QR code. Tap the preferred option.
Go to the website you’re setting up 2FA for and generate the setup key or QR code. If you chose the Setup key, simply enter the key. For QR code, settings will open the camera to scan the code. The code will be set up after you enter the code generated by Apple’s authenticator on the website.
Now, if you’re setting 2FA for a website in Safari on your iPhone itself, you’re going to wonder how to scan the QR code. Well, Safari uses on-device image analysis to detect QR codes and decode the information it contains. So you don’t need an external camera to scan it.
Tap and hold the QR code generated and tap ‘Open in Settings’.
The ‘Passwords’ settings screen will open directly, and it’ll also suggest the website the QR code is for. Tap it, and authenticator codes will be set up.
This is the process while iOS 15 is still in beta. Chances are when iOS 15 releases for the public, the process would be even more seamless as a lot of developers could incorporate a direct link for iCloud Keychain setup on their websites.
Using Authenticator Codes to Sign-In to Websites
Your verification codes will be synced across your Apple devices in iCloud Keychain. So, every time you sign in on one of these devices, iCloud Keychain will autofill the code with just a tap.
All you have to do is tap the ‘Verification code for [site address]’ from the keyboard to automatically enter the Verification Code for the respected site.
Using Verification Codes from the Built-in Authenticator on Other Devices
You can also use the built-in authenticator to generate a code while logging in on a non-Apple device. In this case, the ease of Autofill will go away, and you’d have to manually type the code just like any other authenticator app.
Go to Settings and open Passwords. Then, select the website you want the code for and then you’ll find the code under ‘Verification code’ section on the screen.
💡 Ask Siri to Quickly Get Verification Codes
Alternatively, you can also say, “Hey Siri, what’s my password for [website name]” and Siri will bring up the website details from Passwords, skipping all the digging into the Settings.
Then, on the Passwords screen for the website, you’ll find the verification codes displayed on the screen.
Passwords might soon get replaced in the industry due to their weak security. Apple itself is working on a public-key-based credential that uses Web Authentication standard (the most secure standard), BT DUBS. But, it’ll be a while before passwords are completely replaced. And while passwords are still in use, authenticator codes are the way to go for utmost security.
Thankfully, with Apple’s built-in authenticator, choosing security won’t be a hassle anymore.