How does a keychain work in a Mac? Can't remove your device? Connecting a new iOS device to iCloud Keychain

Hello everyone, dear readers. Today I will tell you what the notorious bunch is iCloud keys, how to activate it and how to use it. First, let me define what iCloud Keychain is.

Keychain in iCloud - cloud service from Apple which is called iCloud Keychain. Serves to store users' personal data in encrypted form. Personal data can be considered logins and passwords, as well as security codes from credit cards + certificates that you use in Apple services.

The question quite naturally arises: how safe is it to use this service for data safety? According to the company, all data is stored in encrypted form and only the owner of the data can access it; Apple employees do not have access to your data.

You can activate this mode directly from your Apple device, such as an iPad or iPhone. I will show the iPad as an example, but there is no difference between activating the mode on an iPhone or iPad.

Activation

Follow the steps below to successfully activate the required service:

Subsequently, you will be able to synchronize information from this service with other devices: both on the basis operating system iOS as well as Mac OS.

Settings

Now let's set it up automatic saving important data in the iCloud Keychain service entered in the Safari browser:

1. First of all, you need to go to the device settings and select the Safari section, and then go to the item – passwords;
2. In the field that opens, you need to check the “Names and Passwords” section.

After completing the above operation, all your passwords, logins and other data entered in the Safari browser will be saved, at your request, to the iCloud Keychain cloud service.

Some tips for working with this described function:

1. If you are unable to configure or activate the links, you will need to update your operating system to current version, and also check your Internet connection;
2. You can view all saved passwords, for this you need to: go to settings, then to the Safari section, Passwords, saved passwords;
3. This service may not save passwords for some websites because... such sites, for security reasons, prohibit storing any data;
4. I recommend you use this tool– a bunch of keys – only for Apple mobile device without jailbreak. Because Using this feature with a jailbreak may be unsafe.

iCloud Keychain - indispensable assistant in storing important and classified information. All passwords are saved from Safari apps in cloud storage. You don’t have to write it down or remember it yourself. complex passwords, a bunch of keys will help you remember and open everything.

When using the iCloud Keychain app, enter your iCloud security code. The code can be six-digit, numeric or alphanumeric, or automatically generated. This code allows you to recover data if your device is lost, and also perform certain actions when identifying the user. This is additional protection, but the code should be such that you do not forget it and remember it. If you enter the code incorrectly, and even several times, the keychain will be blocked on this device. To resume operation, please contact technical support. Apple service for identification and unlocking.

When activating keys, you can skip entering the security code and skip this step; then the information will not be stored in the cloud.

Bundle setup

If you cannot confirm login from another device to the application on the new device, use the security code, after entering which, confirm by SMS connection. On any Apple device, to configure the application, go to the “Settings” menu, select “iCloud”, look for the application with the keys. When you click on the application icon, a switch will appear, slide it to turn on. Enter your ID password and continue with the instructions. Now you have access to the most important function - automation of entering any passwords and codes. Easily pay for purchases, go to websites, and email without hesitation.

Credit card security

The vault contains credit card numbers and expiration dates. Safety numbers do not remain in memory. Disabling the application does not erase your data.

Some problems when using the application and ways to solve them

Code not received via SMS

• Make sure this is the phone number associated with your account.
• Check tariff plan, find out if SMS ban alerts.

To check the number that is associated with your account, go to “Settings”, select “iCloud Keychain”, go to the “Advanced” tab. In the “Verification number” section is written phone number.

Social network passwords are not displayed on devices

In Settings, open Safari and go to Autofill. Check the functionality of the "Names and Passwords" account. When this feature is turned off, passwords are not remembered. Then press Home and check Safari. If the program window is black, then disable the “Private Access” mode.

Sometimes popular websites do not allow their visitors to save passwords, so their passwords will not be saved.

If you lose access to one of the devices

If you lose access to one of the devices, you must create a different security code. Go to “Settings”, select an application, go to the “Advanced” tab. Select "Verify with Security Code" and select the "Forgot Code" tab. Activate "Reset Keychain". Confirm your actions and create a new password.

Message about code change

If a message appears about changing the security code, do not ignore it. It is not necessary to update the security code, but the system must be updated. If you do not follow these steps, the message will appear again. If you ignore this message and do not respond by checking “not now”, then after the third failure the keychain will be turned off. Synchronization will not occur on other devices, and it will be impossible to restore the application through the website.

When this message appears, it is possible to perform an update. Click “create” and follow the suggested actions.

Entered the wrong code many times

If you enter the wrong code several times, the connection will be disabled. The keychain in the cloud will simply be deleted. Verify this device through another or reset the app.

Disabling the service on all devices

If you turn off this service from all devices, your connection will be deleted from the cloud. To resume operation, configure the service again.

When updating software any Apple devices it is necessary to reconfigure the linking program as well. To do this, log in iCloud settings and turn on the keys by moving the slider. After that, follow the instructions and configure your device again.

Safety

Apple complies with confidentiality conditions and information received from users of their products is not disclosed. Information is transmitted in encrypted form, the keys cannot be transferred to anyone else. Information about the location of the gadget will be stored in the cloud for no more than a day, and then will be permanently deleted.

If you encounter problems with the connection, check the settings on your device.

Storing passwords securely and synchronizing them across devices is no easy task. About a year ago, Apple introduced the world to iCloud Keychain, its centralized password store in OS X and iOS. Let's try to figure out where and how user passwords are stored, what potential risks this poses, and whether Apple technical feasibility gain access to decrypted data stored on its servers. The company claims that such access is impossible, but to confirm or deny this, you need to understand how iCloud Keychain works.

iCloud 101

In fact, iCloud is not just one service, it is a general marketing name for a number of cloud services from Apple. This includes synchronization of settings, documents and photos, Find My Phone for searching for lost or stolen devices, and iCloud Backup for Reserve copy to the cloud, and now here's iCloud Keychain to securely sync passwords and credit card numbers between iOS and OS X devices.

Each iCloud service is located on its own third-level domain, such as pXX-keyvalueservice.icloud.com, where XX is the number of the group of servers responsible for processing requests current user; This number may be different for different Apple IDs; newer accounts usually have higher value this counter.

iCloud Security Code

Before diving into the iCloud Keychain analysis, let's take a look at how this service is configured. At turning on iCloud Keychain, the user is asked to come up with and enter an iCloud Security Code (iCloud Security Code, hereinafter referred to as iCSC). By default, the input form allows you to use four-digit digital code, but by clicking on the link “ Extra options", you can still use more complex code or even allow the device to generate a strong random code.

We now know that data in iCloud Keychain is protected using iCSC. Well, let's try to figure out how exactly this protection is implemented!

Traffic interception or man-in-the-middle

The first step in analyzing network services is often to gain access to the network traffic between the client and server. In the case of iCloud, there are two news for us: bad and good. The bad news is that all (or at least the overwhelming majority of it) traffic is protected by TLS/SSL, that is, it is encrypted and normal passive attack it will not be possible to “read” it. The good news is that Apple has given everyone a gift to explore iCloud and does not use certificate pinning, which makes it quite easy to organize a man-in-the-middle attack and decrypt intercepted traffic. For this it is enough:

1. Place the experimental iOS device on the same Wi-Fi network as the computer performing the interception.

1. Install an intercepting proxy server on your computer (such as Burp, Charles Proxy or any similar one).

1. Import a TLS/SSL certificate to an iOS device installed proxy server(details in the specific proxy help).

1. In the Wi-Fi network settings on your iOS device (Settings → Wi-Fi → Network name → HTTP Proxy), specify the IP address of the intercepting computer in the Wi-Fi network and the port on which the proxy server is listening.

If everything is done correctly, then all traffic between the device and iCloud will be in full view. And from the interception of this traffic, it will be clearly visible that iCloud Keychain is built on the basis of two iCloud services: com.apple.Dataclass.KeyValue and com.apple.Dataclass.KeychainSync - both during the initial and when re-enabled on others iOS devices exchanges data with these services.

The first service is not new and was among the first iCloud features; it is widely used by applications to sync settings. The second one is new and was apparently developed specifically for iCloud Keychain (although its functionality theoretically allows it to be used for other purposes). Let's take a closer look at these services.

com.apple.Dataclass.KeyValue

As noted above, this is one of the services used by iCloud Keychain. Many existing applications use it for synchronization small volumes data (settings, bookmarks, etc.). Each record stored by this service is associated with an application identifier (Bundle ID) and a store name (store). Accordingly, to receive stored data from the service, you must also provide these identifiers. IN iCloud Keychain This service is used to synchronize Keychain records in encrypted form. This process is described in sufficient detail in iOS document Security in sections Keychain syncing and How keychain syncing works.

Keychain synchronization

When a user first turns on iCloud Keychain, the device creates a circle of trust and a synchronization identity (consisting of a public and private key) for the current device. The pair's public key is placed in a "circle of trust", and this "circle" is signed twice: first with the device's private sync key, and then with an asymmetric key (based on elliptic cryptography) derived from the user's iCloud password. Also in the “circle” parameters for calculating the key from the password, such as salt and the number of iterations, are stored.

The signed “circle” is saved in the Key/Value storage. It cannot be read without knowing the user's iCloud password and cannot be changed without knowing the private key of one of the devices added to the circle.

When a user enables iCloud Keychain on another device, that device accesses the Key/Value store in iCloud and notices that the user already has a “circle of trust” and that the new device is not part of it. The device generates sync keys and a receipt to request circle membership. The receipt contains the device's public synchronization key and is signed with a key obtained from the user's iCloud password using key generation parameters obtained from the Key/Value store. The signed receipt is then placed in the Key/Value store.

The first device sees the new receipt and shows the user a message indicating that the new device is requesting to be added to the “circle of trust.” User enters iCloud password, and the receipt signature is checked for correctness. This proves that the user who generated the request to add a device entered correct password when creating a receipt.

After the user confirms adding the device to the circle, the first device adds the new device's public sync key to the circle and double-signs it again with its private sync key and the key derived from the user's iCloud password. The new "circle" is saved to iCloud, and the new device signs it in the same way.

How Keychain Synchronization Works

Now there are two devices in the “circle of trust”, and each of them knows the public synchronization keys of other devices. They begin exchanging Keychain records via iCloud Key/Value storage. If the same entry is present on both devices, then priority will be given to the modification that has a later time. If the modification time of an entry in iCloud and on the device are the same, the entry is not synchronized. Each synchronized entry is encrypted specifically for the target device; it cannot be decrypted by other devices or Apple. In addition, the recording is not stored in iCloud permanently - it is overwritten by new synced recordings.

This process is repeated for each new device added to the circle of trust. For example, if a third device is added to the circle, a confirmation prompt will be shown on the other two devices. The user can confirm the addition on any of them. As new devices are added, each device in the circle is synced with the new ones to ensure that the set of records on all devices is the same.

It should be noted that not the entire Keychain is synchronized. Some records are tied to the device (such as VPN accounts) and should not leave the device. Only records that have the kSecAttrSynchronizable attribute are synchronized. Apple has set this attribute for custom Safari data(including usernames, passwords and credit card numbers) and for Wi-Fi passwords.

Additionally, third-party app recordings are also not synced by default. To synchronize them, developers must explicitly set the kSecAttrSynchronizable attribute when adding an entry to the Keychain.

iCloud Keychain operates with two storages:

• com.apple.security.cloudkeychainproxy3

- Bundle ID: com.apple.security.cloudkeychainproxy3;

• com.apple.sbd3

- Bundle ID: com.apple.sbd (SBD is an acronym for Secure Backup Daemon).

The first store is presumably used to maintain the list trusted devices(devices in a “circle of trust” between which password synchronization is allowed), to add new devices to this list and to synchronize records between devices (in accordance with the mechanism described above).

The second storage is intended for backing up and restoring Keychain records to new devices (for example, when there are no other devices in the “circle of trust”) and contains encrypted Keychain records and related information.

Thus, Keychain records are stored in a regular Key/Value store (com.apple.securebackup.record). These records are encrypted using a set of keys stored there (BackupKeybag). But this set of keys password protected. Where does this password come from? What is this Apple password escrow service? Let's try to figure it out next.

apple.Dataclass.KeychainSync

This new service, it arose relatively recently: its support first appeared in beta versions of iOS 7, then it was absent from iOS 7.0–7.0.2 and was reintroduced in iOS 7.0.3, which was released simultaneously with the release of OS X Mavericks. This is the password escrow service mentioned above (the service address is pXX-escrowproxy.icloud.com).

The service is intended for safe storage user secrets and allows the user to recover these secrets after successful authentication. For successful authentication the following is required:

• token iCloud authentication, received in exchange for an Apple ID and password during initial authentication in iCloud ( standard way authentication for most iCloud services);

• iCloud Security Code (iCSC);

• a six-digit digital code transmitted by Apple servers to the number cell phone, associated with the user.

In theory, everything looks good, but to determine whether theory matches practice, we will need to audit the escrow service client software. On iOS and OS X, this program is called com.apple.lakitu. A description of the process of its reversing and audit is beyond the scope of the article, so let’s move straight to the results.

Available commands

Auditing com.apple.lakitu allows you to determine the list of commands implemented by the escrow service. The corresponding screenshot shows the commands and their descriptions. I would especially like to focus on the last command - with its help it is possible to change the phone number associated with the current account. The presence of this command makes multi-factor authentication, used for iCloud recovery Keychain ( Apple password ID + iCSC + device), noticeably less reliable, since it allows you to exclude one of the factors. It is also interesting that the iOS user interface does not allow you to run this command - it simply does not have such an option (at least I did not find it).

What sets this command apart from all others is that it requires authentication with an Apple ID password and will not work if an iCloud token is used for authentication (other commands work with token authentication). This provides additional protection for this command and shows that the system designers have taken steps to improve its security. However, it is not entirely clear why this command is present in the system at all.

Recovering Escrow Data

To receive the deposited data, the following protocol is executed:

1. The client requests a list of deposited records (/get_records).

1. The client requests an associated telephone number to which the server will send a confirmation code (/get_sms_targets).

1. The client initiates the generation and delivery of a confirmation code (/generate_sms_challenge).

1. After the user has entered the iCSC and verification code from SMS, the client initiates an authentication attempt using the SRP-6a protocol (/srp_init).

1. After receiving a response from the server, the client performs the calculations prescribed by the SRP-6a protocol and requests the escrow data (/recover).

1. If the client has successfully authenticated, the server returns the deposited data, having previously encrypted it with a key generated during the operation of the SRP-6a protocol (if the protocol worked successfully, then both the server and the client calculated this shared key).

It is important to note that the phone number obtained in step 2 is used solely for user interface, that is, to show the user the number to which the verification code will be sent, and in step 3 the client does not transmit to the server the number to which the verification code should be sent.

Secure Remote Password

In step 4, the client begins executing the SRP-6a protocol. The SRP (Secure Remote Password) protocol is a password authentication protocol that is protected from eavesdropping and man-in-the-middle attacks. Thus, for example, when using this protocol, it is impossible to intercept a password hash and then try to recover it, simply because no hash is transmitted.

Apple uses the most advanced version of the protocol, SRP-6a. This option instructs to close the connection if authentication fails. Additionally, Apple only allows ten failed authentication attempts for of this service, after which all subsequent attempts are blocked.

Detailed description of the SRP protocol and its mathematical foundations is beyond the scope of this article, but for completeness, below is a private version used by the com.apple.Dataclass.KeychainSync service.

The hash function H is SHA-256, and the group (N, g) is the 2048-bit group from RFC 5054 "Using the Secure Remote Password (SRP) Protocol for TLS Authentication". The protocol runs as follows:

1. The device generates a random value a, calculates A=g^a mod N, where N and g are the 2048-bit group parameters from RFC 5054, and sends a message to the server containing the user ID, the calculated value of A, and the confirmation code from the SMS. The value DsID is used as the user identifier - a unique numeric user identifier.
2. Upon receiving the message, the server generates a random value b and calculates B=k*v + g^b mod N , where k is the multiplier defined in SRP-6a as k=H(N, g) , v=g^H(Salt, iCSC) mod N - password verifier stored on the server (analogous to a password hash), Salt - random salt generated when creating an account. The server sends a message to the client containing B and Salt .
3. Through simple mathematical transformations, the client and server calculate a common session key K. This completes the first part of the protocol - key derivation - and now the client and server must ensure that they have received the same value for K.
4. The client calculates M=H(H(N) XOR H(g) | H(ID) | Salt | A | B | K) , a proof that it knows K , and sends M and the confirmation code from the SMS to the server. The server also calculates M and compares the value received from the client and the calculated value; if they do not match, the server stops executing the protocol and breaks the connection.
5. The server proves knowledge of K to the client by computing and sending H(A, M, K) . Now both participants in the protocol have not only developed a common key, but also made sure that this key is the same for both participants. In the case of the escrow service, the server also returns a random IV and an escrow record encrypted with a shared key K using the AES algorithm in CBC mode.

Using SRP for additional protection user data, in my opinion, significantly improves the security of the system from external attacks, if only because it allows you to effectively resist brute force attempts at iCSC: you can try only one password per connection to the service. After several unsuccessful attempts, the account (as part of working with the escrow service) is transferred to the soft lock state and temporarily blocked, and after ten unsuccessful attempts, the account is permanently blocked and further work with the escrow service is possible only after resetting the iCSC for the account.

At the same time, the use of SRP does not protect against internal threats in any way. The deposited password is stored on Apple's servers, so it can be assumed that Apple can access it if necessary. In this case, if the password was not protected (e.g. encrypted) prior to escrow, this could result in a complete compromise of the Keychain records stored in iCloud, since the escrowed password would allow the encryption keys to be decrypted, which would decrypt the Keychain records (note com. apple.Dataclass.KeyValue).

However, in the "iOS Security" document, Apple claims that specialized hardware security modules (Hardware Security Modules (HSM)) are used to store escrowed records and that access to escrowed data is impossible.

Escrow Security

iCloud provides a secure infrastructure for Keychain escrow, ensuring that Keychain can only be recovered by authorized users and devices. HSM clusters protect escrow records. Each cluster has its own encryption key used to protect records.

To recover Keychain, the user must authenticate using the iCloud username and password and respond to the sent SMS. Once this is completed, the user must enter the iCloud Security Code (iCSC). The HSM cluster verifies the correctness of the iCSC using the SRP protocol; however, iCSC is not transmitted to Apple servers. Each cluster node, independently of the others, checks whether the user has exceeded the maximum permissible quantity attempts to obtain data. If the check is successful on most nodes, the cluster decrypts the escrow record and returns it to the user.

The device then uses iCSC to decrypt the escrow record and obtain the password used to encrypt the Keychain records. Using this password, the Keychain obtained from the Key/Value storage is decrypted and restored to the device. Only ten attempts are allowed to authenticate and retrieve deposited data. After several unsuccessful attempts, the entry is locked and the user must contact support to unblock it. After the tenth unsuccessful attempt, the HSM cluster destroys the escrowed record. This provides protection against brute force attacks aimed at obtaining a record.

Unfortunately, it is not possible to verify whether HSMs are actually used. If everything is really like this and HSMs do not allow you to read the data stored in them, then we can say that iCloud data Keychain is also protected from internal threats. But, I repeat, unfortunately, it is impossible to prove or disprove the use of HSMs and the inability to read data from them.

There remains one more way to protect data from an insider threat - protecting the escrowed data on the device before transferring it to Apple servers. From Apple's description it follows (and the reversal confirms this) that such protection is applied - the deposited password is pre-encrypted using iCSC. Obviously, in this case, the level of security (from insider threat) directly depends on the complexity of the iCSC and the default four-character iCSC does not provide sufficient protection.

So, we have figured out how the individual elements of the system work, and now it’s time to look at the system as a whole.

Putting it all together

The diagram shows how iCloud Keychain works in terms of depositing and restoring Keychain records. The system works as follows:

1. The device generates a set of random keys (in Apple terminology - a keybag) to encrypt Keychain records.
2. The device encrypts Keychain records (those with the kSecAttrSynchronizable attribute set) using the key set generated in the previous step and stores the encrypted records in the Key/Value store com.apple.sbd3 (key com.apple.securebackup.record).
3. The device generates random password, consisting of six groups of four characters (the entropy of such a password is about 124 bits), encrypts the set of keys generated in step 1 using this password and stores the encrypted set of keys in the Key/Value storage com.apple.sbd3 (BackupKeybag key ).
4. The device encrypts the random password generated in the previous step with the key obtained from the user's iCloud security code and deposits the encrypted password into the com.apple.Dataclass.KeychainSync service.

When setting up iCloud Keychain, the user can use a complex or random iCSC instead of the default four-digit code. In the case of using complex code, the mechanism of operation of the deposit system does not change; the only difference is that the key for encrypting a random password will be calculated not from the four-digit iCSC, but from a more complex one entered by the user.

With random code, the password escrow subsystem is not used at all. In this case, the random password generated by the system is the iCSC, and the user’s task is to remember it and store it safely. Keychain entries are still encrypted and stored in the Key/Value store com.apple.sbd3 , but the com.apple.Dataclass.KeychainSync service is not used.

conclusions

We can safely say that from a technical point of view (that is, we do not consider social engineering) and in relation to external threats(that is, not Apple) the security of the iCloud Keychain escrow service is at a sufficient level: thanks to the use of the SRP protocol, even if the iCloud password is compromised, an attacker will not be able to access Keychain records, since this additionally requires the iCloud security code, and brute force this code is significantly difficult .

At the same time, using another iCloud Keychain mechanism - password synchronization, an attacker who has compromised the iCloud password and has a short physical access to one of the user’s devices, can completely compromise iCloud Keychain: to do this, it is enough to add the attacker’s device to the “circle of trust” of the user’s devices, and for this it is enough to know the iCloud password and have short-term access to the user’s device in order to confirm the request to add a new device to "circle".

If we consider protection from internal threats (that is, Apple or anyone with access to Apple servers), then the security of the escrow service does not look so rosy. Apple's claims about the use of HSMs and the inability to read data from them do not have conclusive evidence, and cryptographic protection escrow data is tied to the iCloud security code, in default settings is extremely weak and allows anyone who is able to retrieve escrow records from Apple servers (or from the HSM) to almost instantly recover the four-digit iCloud security code.

If a complex alphanumeric code is used, this attack becomes more difficult because the number of possible passwords increases. If iCloud Keychain is configured to use a random code, then the escrow service is not involved at all, effectively making this attack vector impossible.

Maximum level of security (not counting complete shutdown iCloud Keychain, of course) is ensured by using a random code - and not so much because such a code is more difficult to guess, but because the password escrow subsystem is not involved, and therefore the attack surface is reduced. But the convenience of this option, of course, leaves much to be desired.

With each new version OS X And iOS both systems are increasingly integrated into iCloud. This year's trend has been the replacement of such popular password managers as 1Password And LastPass using a solution from Apple. We're talking, of course, about iCloud Keychain or iCloud Keychain. ABOUT initial setup And further use, as well as certain prospects and some pitfalls we'll talk about it in this article.

As usual, let's start with preparatory stage. To get started with iCloud Keychain, we need a computer running final version or a mobile device with on board. Or both at once. If there are no problems with this, then you can start transferring your passwords to the cloud. I think that within the framework of this material it makes no sense to discuss the appropriateness of such an action. Firstly, this personal decision everyone, whether or not to trust their passwords and, possibly, bank cards, to the Apple cloud service. Secondly, the company itself promises in several warnings that passwords are stored in encrypted form and no one at Apple has access to them. If you decided to continue, then you took my word for it.

To enable iCloud Keychain on the computer running OS X Mavericks, you need to do the following:

Open system settings and find the iCloud icon there.

Check the box next to the keychain.

Next, there are two possible options. If you use a password when logging into your account on Mac, then this stage you can skip it. If not, then you can either set such a password, or not break your own habits and answer “not now.”

Now you need to enter your Apple ID password.

Then comes the final stage, but it is precisely the most complicated. The system will prompt you to enter a four-digit numeric code to protect passwords in the cloud. You will need it, for example, if you want to activate iCloud Keychain on another computer or iOS device. But there is also alternative options They will be available after clicking the "Advanced" button.

Let's take a closer look at this point. There are a total of four options for protecting passwords in iCloud Keychain. The first is described above and is a four-digit digital code. The second one suggests entering a longer and more complex code, which can consist not only of numbers, but also of letters and symbols. If you don't trust yourself or can't come up with anything complicated enough, then you can request a similar code from Apple - this is the third option. Finally, the last option is to not use the security code. However, it is not as dangerous as it might seem at first glance.

Although you don't use a security code, which should normally be entered on every device when activating the iCloud Keychain feature within your account, it's just that cloud storage Passwords cannot be enabled. The easiest way to explain the system is with an example. You want to connect your Keychain to your iPad. Before this, you only had it activated on your Mac. No problem. When you enable the feature on your tablet, you must enter your Apple ID password, and then confirm adding a new device on your computer by entering your Apple ID password again. It turns out to be a kind of mutual responsibility when, without the participation of a device already connected to the system, it will not be possible to add a new one. In my opinion, it is quite safe and there is no need to remember an extra password. After all, we use a bunch of keys so that, on the contrary, we don’t remember anything.

It was described above iCloud activation Keychain on a computer running OS X Mavericks. This is exactly what this procedure looks like on a mobile device based on iOS. Except for a couple of things. The required switch is located at Settings – iCloud – Keychain. If you use iCloud Keychain using the fourth method, that is, without any passwords, then the whole process will be the same. Otherwise the owners mobile devices An unpleasant surprise awaits you from some countries.

The fact is that iOS 7 will require a phone number to which you can send SMS messages to restore access to your keychain in the cloud. Residents of Russia do not have to worry about this - the country is on the list and indicating the number will not be difficult. A different situation awaits users from Belarus and Ukraine. Their countries are not in the list and the number cannot be entered. In this case, there is currently one solution that really solves the problem - activating the keychain using OS X. This is the only way to overcome the inability to enter a number in iOS 7.

So, this completes the process of activating the iCloud keychain, you can get to work. But can Apple's solution compete with well-known password managers? third party developers. The keychain regularly remembers your logins and passwords for sites, numbers and credit card details, except for the security code, of course. Auto-fill also works great, but... There is a group of sites that send browsers an insistent request not to save the password, supposedly taking care of user security. What does this mean for iCloud Keychain users? Safari can be forced to save such passwords using the settings, but at the same time prerequisite will set a password to access your account on a Mac or a password on an iOS device. Are you ready to do this if you haven’t used passwords before? I doubt.

Next, iCloud Keychain only works in Safari. If you work exclusively in Apple ecosystem and you use a proprietary browser, then there are no problems. Everything will work perfectly, a real Apple-Way. But problems arise with other browsers because they are not yet supported in any way. One way or another, this is the most convenient solution for iOS, if you use Safari, of course.

I repeat once again: logins and passwords for sites, credit card information, Wi-Fi passwords, entered once on one device and saved in iCloud, will subsequently be available on all other devices. We were in a cafe with an iPhone and connected to Wi-Fi, asking the waiter for the password. Next time you come with a Mac and it will connect itself because it already knows the password. The same situation applies to certificates. For users who use exclusively Apple technology, iCloud Keychain perfect solution. Unfortunately, going outside the ecosystem does not bode well. At the same time, the overall picture is somewhat spoiled by somewhat excessive paranoia on Apple’s part, forcing users to activate passwords to access devices or link a phone number. But all this is for the sake of security, which we all count on when we trust our passwords and data to cloud storage.

Advanced users of Apple devices are familiar with the “ iCloud Keychain"(there are other Keychains, for example, Login, System, etc., available on Mac), which greatly simplifies the work with passwords and other personal data on devices under iOS control and macOS. In this material we will talk in detail about the process of setting up the service, and also answer frequently asked questions.

In contact with

What is iCloud Keychain and why is it needed?

Keychain Access is a password manager for iPhone, iPod Touch, iPad and Mac computers, where login credentials for sites are stored via Safari browser, payment card information, as well as information about Wi-Fi networks from all approved gadgets running iOS 7.0.3, OS X Mavericks 10.9 and newer releases of Apple OS.

Besides, in " iCloud Keychain" for Mac also stores data from accounts used in standard applications, such as " Calendar», « Contacts», « Mail" And " Messages" When a user logs into a social network or opens a website on which he is registered, the service automatically adds account data to all associated devices.

Function is a very convenient tool for owners of multiple Apple devices.

Does Keychain Access work in all countries?

Yes. " A bunch of keys» can be set up and used in any country on any compatible device. However, in some countries the service works without the ability to use " iCloud Security Code"(more details below).

For example, when setting " Keychains"In Russia, the user can (if necessary) protect personal data using " iCloud Security Code» (setting when help SMS), thereby saving all service data on Apple servers(read more about this below).

Note: If you are using two-factor authentication, then the device is considered trusted when logging in - i.e. "iCloud Security Code" not required.

• Settings and go to the section Apple ID [username] -> password and safety.

• on Mac go to path « System Settings» → iCloud → Account → Safety.

How to set up iCloud Keychain on Mac, iPhone or iPad?

On iPhone or iPad:

After installing a mobile operating system update, Setup Assistant prompts you to configure “ iCloud Keychain" If you haven’t done this right away, don’t worry, you can set up the function at any time convenient for you. For this:

• On iOS 10.3 and higher, open the " Settings", select your name (at the very top) and enter the iCloud section (on devices running more than early version iOS given section is located along the path: " Settings» -> iCloud).

• Go to section .

• Activate the switch . Enter your account password and follow further instructions on the display.

On Mac computers:

• Open apple menu(), select " System Settings».
• Select the iCloud section and turn on the " iCloud Keychain", after which you should enter your Apple ID and password and follow the instructions that appear.

Adding additional devices

If you want to add additional devices, « iCloud Keychain" must be enabled on each of them. When activating a feature on a new device, each device where it is configured will receive a confirmation request.

For example, when you enable Keychain in iPhone on Mac screen using the same account Apple entry ID (iCloud), the following message will appear:

Click "Continue", after which the iCloud settings will open, where you need to enter your Apple ID password and thereby allow the device to use A bunch of keys.

Reverse procedure - turn on A bunch of keys on Mac - the notification arrives on iPhone.

Once confirmed, the information on the new gadget will be updated automatically if the device is online.

Note: With two-factor authentication enabled turns on without receiving confirmation from another device.

To check if two-factor authentication is enabled on your device:

• on iPhone or iPad, open the app Settings and go to the section Apple ID [username] -> password and safety.
• on Mac go to path "System Settings" -> iCloud -> Account -> Safety.

Security code when setting up Keychain. What it is?

Note: If you are using two-factor authentication, then "iCloud Security Code" not required.

A security code is a set of six numbers or a combination of numbers and letters used to identify the user and access other features " iCloud Keychain". For example, if you have lost your device, you can use the code to restore the data stored in it. Using "iCloud Security Code" all service data is stored on Apple servers. To receive a security code you must receiving SMS to a telephone number registered in the country where officially supported.

Accordingly, if you do not use "iCloud Security Code", then the data from Keychains stored and synced only between approved devices.

We repeat that Security code allows you to activate " iCloud Keychain» without the need to obtain approval from other devices, but must be enabled for this. Just turn on the switch as described above and enter the password and security code that is automatically displayed on trusted gadgets.

How to view passwords for websites in iCloud Keychain on iPhone or iPad

When Keychain is activated iCloud feature "Autofill" Apple itself enters user credentials into the appropriate fields on websites or applications. However, some sites do not allow automatic data entry. In such cases, you need to copy and paste your username and password manually. This is done as follows:

1. Open the application "Settings";

2. Select « Accounts and passwords";

3. Select “Passwords for programs and sites” and if necessary, complete user verification with using Touch ID or Face ID;

4. Select the appropriate entry from the list or using the search field at the top of the screen "Passwords", enter the name of the application or website for which you need to enter credentials;

5. Touch and hold the username/password option, and then select "Copy";

6. Open the appropriate application or web page, touch and hold the username and password input field, and then select the option "Insert".

7. You can remove credentials using the option "Change" in the right top corner screen "Passwords". Besides, this parameter can be used to change credentials for relevant websites.

How to view logins and passwords for sites in iCloud Keychain on Mac

1. Launch the Safari browser.

2. Open the program settings ( Safari → Settings).

3. Go to the tab Passwords.

4. Enter the Administrator password.

5. Select the required site (you can use the search). Opposite will be the login (Username) and password.

You can add to iCloud Keychain at any time personal information and data bank card using an iPhone or iPad, after which they will become available on all user devices. To do this you need to do the following:

1. Open the application "Settings";

2. Select a section Safari;

3. Select "Autofill";

4. To add personal information, select "My data" and select your contact from the list. To add card details, click "Saved credit cards» and then select "Add a credit card".

Can Apple tech support restore the iCloud security code for Keychain?

Try to remember the code well or write it down in safe place, because if you forget it, Apple Support will not be able to help you recover the code. In addition, it must be remembered that the number of incorrect attempts to enter the code is limited, and after exceeding the limit, access to " iCloud Keychain" will be blocked. In this case, you need to contact Apple technical support and after successful identification of the individual, the user will be given additional attempts to enter the code. If in this case the incorrect combination is specified, Apple will permanently erase " iCloud Keychain» from their servers (of course, all personal data will be lost).

Is it possible to set up Keychain Access without a security code (without an SMS-enabled phone number)?

Can. Setting a security code when setting up the function is completely optional. But in this case, your data will not be stored on the server, but on the devices themselves. This approach assumes greater user control over their data, but it has a significant drawback - Apple will not be able to provide assistance in recovery " iCloud Keychain».

If suddenly for your country it is possible to configure " iCloud Keychain"via SMS is not available, don't worry, you will still be able to enable the function. To do this, when setting up (instructions for setting up above) the service on iOS devices, do not select the “ Verify with code" on the menu " Add-ons«:

On Mac computers, go to the " Extra options" and select the item " Don't generate security code«.

Let us repeat that in this case “ iCloud Keychain» will only be stored on the device, not on Apple server, and be updated only on approved gadgets. Complete the setup by following the instructions that appear on the screen.