How To

Mac and iOS Keychain Tutorial: How Apple’s iCloud Keychain Works

Posted on November 23rd, 2021 by

You use passwords to log into websites and services, and since there are so many of them, it’s hard to remember them. It’s a bad idea to use the same password for different websites, because if one site is compromised, hackers will have an email address and password that they can try on other sites. Because of this, you need to ensure that your passwords are different for every website and app, and that they are hard to crack. (An episode of the Intego Mac Podcast talks about password strategies.)

Your Macs and iOS devices have a “keychain,” which is an encrypted file that stores your logins, passwords, and some other information. This file syncs via iCloud, so you can use the same passwords on all your devices. Here’s how Apple’s iCloud keychain works.

Accessing Passwords on Mac

There are three ways you can access passwords on your Mac. The Keychain Access app has been around on the Mac since the launch of Mac OS X. It provides access to your encrypted passwords, as well as other items such as certificates that ensure the security of websites and services. It stores passwords not just for the Safari web browser, but also for applications that store passwords to access websites or services. When you sign into apps like Twitter, Slack, or Skype, the passwords you use are stored in your keychain, and you can view and edit them in Keychain Access.

Safari allows you to access passwords in its Preferences. A Passwords tab lets you view and edit passwords for websites you can access in the browser; you need to enter the password of your user account – or use Touch ID – to view these passwords. You can view and edit these passwords, and Safari can flag compromised passwords – user name and password combinations that have been found in data breaches – and alert you to reused passwords. You can also enter codes to set up two-factor authentication, and when you sign into a website that requires 2FA, Safari can automatically fill the code (see below to find out how to set up 2FA for your logins).

Finally, since macOS Monterey, you can also access passwords in the Passwords tab of System Preferences. This is essentially the same as what you see in Safari: you can view and edit passwords, see compromised and reused passwords, and configure two-factor authentication for websites. As with Safari, you need to authenticate to access these passwords.

The Keychain Access App on macOS

The Keychain Access app is a graphical user interface for a set of encrypted files on your Mac. When the Safari web browser saves a password, or when you sign into a service via an app, that password is stored in the keychain, and you can view and edit data in the keychain in Keychain Access.

The Keychain Access app on your Mac lets you manage these passwords and other information, but you may go for years without ever seeing it. You may never need it, in fact, but you can use it if you need to find a password.

The Keychain Access app is located in the Utilities folder in your Applications folder. If you launch it, you’ll see a number of items in the sidebar: different keychains, such as Login, and, if you have the iCloud Keychain active (see below), you’ll see an entry for that. You’ll also see System, which contains some passwords used by the operating system, such as for Wi-Fi networks, and System Roots, which are important certificates that macOS uses.

If you click on one of these, such as the login keychain, you’ll see a number of tabs at the top of the window: All Items, Passwords, Secure Notes, My Certificates, Keys, and Certificates.

  • Passwords include login/password combinations for websites and some apps, Wi-Fi passwords, as well as credit cards stored by Safari.
  • Secure Notes are encrypted files you can create within your keychain with sensitive data. This is a great place to store things like credit card numbers, bank account information, and more. However, you can only access them on your Mac; they don’t sync to iOS devices.
  • Certificates and Keys are data used to ensure encrypted communication with websites and services. You will probably never need to look at these.

The main reason to visit the Keychain Access app is if you’ve forgotten a password. Search for it using the Search field, then double-click your result to view the password. You’ll need to authenticate with your user name and password.

Note that while your login keychain is the default, it is unlocked as soon as you log into your Mac. You can increase security by creating a non-login keychain — all this requires is an additional password when you start up or log into your Mac.

Apple’s iCloud Keychain

Apple added the iCloud Keychain to enable this data to sync, via iCloud, to all your devices. You activate this in the iCloud settings on your Mac or iOS device. This syncs all your passwords to the cloud — they are encrypted, so this is secure — so when you log into a new website on your iPhone, for example, you’ll be able to automatically use that login and password on your Mac. When you sync the iCloud Keychain, you can access your website passwords in Safari and in System Preferences, as mentioned above.

It’s easy to use the iCloud keychain. When you visit a website and encounter a login form, Safari on the Mac or on iOS, and some apps, will pre-fill the form if it has a password stored for that site or service. In some cases, you may have multiple login/password combinations for a site, and you’ll see options for what’s available. And if none of these options are correct, which may happen if a website has changed its domain, for example, click or tap Passwords to search all the saved passwords.

However, you won’t be able to view application passwords unless you use Keychain Access on another Mac that is syncing your iCloud Keychain. This can be a problem if you sign up for a service in an app, but later want to access the service in a web browser; you may find that you have to request a password reset to be able to continue.

Accessing Passwords on iOS

iOS does not have a Keychain Access app; instead, you can view passwords in the Settings app. Go to Settings > Passwords, and you’ll see a long list of websites. Tap one of them to see its user name and password. If you tap either a user name or password, you’ll see a pop-up menu allowing you to copy that item, or to AirDrop it to someone else. If you tap the share button at the top of the screen, you can AirDrop both the user name and password to a friend or family member. This is useful if you’ve changed your Netflix password, for example, or for websites where you share login credentials.

The Passwords settings on iOS includes a security feature that can help ensure that your passwords are secure. In Security Recommendations, you may see an alert if you’re using the same password on multiple websites, or if your user name, email, and password were found in a data breach. Tap it to see a list of logins you should change; tap Change Password on Website to go to the website in question to update the password.

On macOS, you can see a similar feature in Safari, and in the Passwords pane of System Preferences. At the top of the passwords list, you’ll see Security Recommendations. If you click any login in this section, Safari shows passwords that are reused or “easily guessed,” and you can click a link to change them.

Setting Up Two-Factor Authentication on Mac or iOS

Two-factor authentication or 2FA is a way to protect your accounts; in addition to having to enter your user name and password, you have to also enter a one-time code that is generally valid for a short period of time to access a website or service. You should use two-factor authentication whenever possible, and, until the release of macOS Monterey and iOS 15, you couldn’t do this with Apple’s password management tool.

Related:

Two-Factor Authentication: How It Works and Why You Should Use It

Many services provide 2FA codes, also known as one-time passwords or OTP, via text message, and sometimes by email, but these methods of transmitting codes isn’t secure. Also, there may be times when you cannot access text messages or emails. The safest way to work with 2FA is to use your device to generate codes.

To set up 2FA for a login, find the website or service in your passwords – this works in all the password interfaces shown above for your iCloud Keychain, with the exception of the Keychain Access app – then click Edit. You’ll see a dialog like this on Mac:

On Mac, click Enter Setup Key, or on iOS, tap Set Up Verification Code.

Go to the website or service and find how to turn on two-factor authentication; this is usually in the site’s Security settings. You’ll generally get one or two options; an alphanumeric code and/or a QR code. If you’re on an iOS device, you have the option to scan a QR code, which you could do if you obtain the code on a computer which is in front of you. Otherwise, the easiest way is to just copy the setup key from the website then paste it into the dialog.

Click or tap OK, then the 2FA code will be saved. In the future, where you visit that website, your iCloud Keychain will enter your user name and password, then, when a code is requested, it will auto-fill that field with a code generated on the fly.

The macOS and iOS keychains are great tools that save time and helps keep you secure. Since you don’t need to remember your passwords, you can make them even more secure, so be sure to use Apple’s iCloud keychain to stay safe!

How can I learn more?

See also our article on other popular password managers:

How to Choose the Right Password Manager for You

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

We discussed the iCloud keychain and more in episode 22 of the Intego Mac Podcast.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →