iCloud Keychain, a feature available in macOS and iOS (sorry, Windows users), enables you to sync a keychain—which may contain passwords, credit card numbers, and other sensitive data—across your Apple devices securely via the cloud.
One big benefit of iCloud Keychain is that Safari and other apps on your iOS device can autofill usernames and passwords that you stored in a keychain on your Mac (and vice versa). Another benefit is that once you enter a Wi-Fi password on one device, it syncs to all your other devices, so you don’t have to reenter it numerous times.
iCloud Keychain includes several other capabilities:
A strong password generator built into Safari
The capability to store and enter credit card information (except the CVV number) in web forms
Support for multiple sets of credentials per site
A way to view and remove passwords within Safari
In addition, if iCloud Keychain is turned on, your iMessage and SMS data can sync among all your devices (see Sync Messages), and the following items sync automatically amongst your other Macs (but not, alas, iOS devices):
Settings for the accounts listed in the Internet Accounts system preference pane, such as email accounts and, for systems prior to 10.14 Mojave, Twitter, Google, Facebook, and LinkedIn
Signatures you scanned or wrote in Preview (see Take Control of Preview, by Josh Centers and Adam Engst), or using the Markup feature of Mail
iCloud Keychain is a useful tool—especially for people who use Apple devices exclusively, and who use only Safari on macOS. Some third-party password managers, including my favorite, 1Password, offer additional features such as greater flexibility in password creation, support for web browsers other than Safari as well as non-Apple operating systems, auto entry of CVV numbers, shared vaults, and storage of other types of information (for example, software licenses). But even if you use a third-party password manager, you may still find iCloud Keychain useful for things like Wi-Fi passwords and certain other applications.
iCloud Keychain isn’t very useful if you set it up on only one device; since syncing passwords is the main point of the features, you’ll want to enable it on each of your Macs and iOS devices. Unlike most iCloud features, you can’t simply flip a switch and turn it on. The initial setup process is considerably more involved. In addition, the steps you follow with whichever device you set up first will be different from the steps for setting up all subsequent devices.
If you’ve already set up your first device to use iCloud Keychain, skip ahead to Approve Additional Devices; if all your devices are already set up, move right on to Use iCloud Keychain in Safari. Otherwise, start here.
When you set up your first device to use iCloud Keychain, you’ll also be prompted to perform a one-time procedure to choose a security code, which can be used to approve additional devices. (There are other ways to approve additional devices, too, as we’ll see.)
I suggest setting up a Mac before your iOS device(s). I say this because when you first set up iCloud Keychain, it copies most of the contents of your existing login keychain to the new iCloud keychain. Because your Mac almost certainly has more items in its login keychain than your iOS device does, your new iCloud keychain will be more useful, more quickly.
(If you have more than one Mac, start with the one whose login keychain has more items—you can check this easily by opening Keychain Access, in /Applications/Utilities
, on each Mac.)
Optional but recommended: Go to System Preferences > Security & Privacy > General. Make sure the first checkbox (Require Password ___ after Sleep or Screen Saver Begins) is selected, and choose a time period from the pop-up menu to fill in the blank. You can skip this step, but if you do, the iCloud preference pane will complain about it later—and for good reason, because if your Mac is unlocked, someone else can access all your iCloud Keychain passwords.
Go to System Preferences > iCloud. If you haven’t previously signed in to your iCloud account, do so now.
Select the Keychain checkbox.
When prompted, enter your Apple ID password and click OK.
Since this is the first of your devices on which you’re setting up iCloud Keychain, you’re prompted to create an iCloud Security Code, which you can use later, with your password, to set up other devices.
You can either enter a 6-digit numeric code or, for greater security, click Advanced and select one of the following:
Use a Complex Security Code: Enter a random password, a phrase, or another arbitrary code that you devise yourself or with the help of a third-party password generator.
Get a Random Security Code: Have Apple generate a long, random string for you, in the format XXXX-XXXX-XXXX-XXXX-XXXX-XXXX
, where each X
is a digit or uppercase letter.
Don’t Create Security Code: Skip this step, with the consequence that when you set up iCloud Keychain on another device, you’ll have to approve it from a different device. (For example, you can use Mac A to approve a request from Mac B, as long as both are running Mavericks or later and signed in to your iCloud account.) See the Note just ahead for more details.
After entering the code in whichever form or opting out, click Next. Re-enter your code if prompted and click Next again. Then, assuming that you didn’t skip setting up an iCloud Security Code, enter a mobile phone number, which can be used as a secondary means of verifying your identity via an SMS message, and click Done.
macOS copies most of the items from your login keychain (Wi-Fi network passwords, application passwords, internet passwords, and web form passwords) to a new keychain called iCloud, and that’s what syncs. You can edit this keychain—with either Keychain Access (found in /Applications/Utilities
) or Safari (choose Safari > Preferences and click Passwords)—but bear in mind that it’s a separate entity from your login keychain, so changes in one keychain won’t affect the other.
Tap Settings > Your Name > iCloud > Keychain, and tap the switch next to iCloud Keychain to turn it on.
When prompted, enter your Apple ID password and tap OK.
Follow the prompts (similar to those from step 5 in the instructions for setting up a Mac, just previously) to pick an iCloud Security Code—or skip it, if you prefer.
Your iOS device creates a new keychain called iCloud, containing any keychain information (such as Wi-Fi passwords or passwords saved from Safari) that were stored on the device.
After you’ve set up your first device and optionally set up an iCloud Security Code, you can set up your remaining devices. Begin by enabling Keychain in System Preferences > iCloud (Mac) or in Settings > iCloud (iOS), just as you did when you set up your first device. If you Use Two-Factor Authentication, you don’t have to jump through any extra hoops; just check the box or flip the switch to enable iCloud Keychain on your other devices.
However, if you don’t use two-factor authentication, you must now approve each additional device in one of two ways:
Use Your iCloud Security Code: If you choose this option (phrased as “Use Code” in iOS), you’ll be prompted to enter your iCloud Security Code—and, in some cases, you may be required to enter a verification number sent to your mobile phone via SMS.
Approve from Other Device: If you choose this option (phrased as “Request Approval” in iOS), iCloud sends a request to all your other devices using iCloud Keychain with the same Apple ID. On each of those devices, a notification (Figure 18) appears; clicking View in the notification on a Mac takes you to System Preferences > iCloud.
On the iCloud pane, click the Options button next to Keychain and then click Details next to the approval request. In the dialog that appears (Figure 19), enter your Apple ID password and click Allow. Or, on an iOS device, enter your Apple ID password when prompted and tap Allow.
Then, and only then, will your iCloud Keychain begin syncing.
When it was first introduced, and for several years afterward, iCloud Keychain worked only in Safari. Starting in iOS 11, Apple made it possible for other apps to use iCloud Keychain (see Use iCloud Keychain in Other Apps), but we’ll begin with Safari because that’s where you’re likely to use it the most. The behavior is similar in macOS and iOS.
Make sure Safari is set up to use all of iCloud Keychain’s features:
Mac: Go to Safari > Preferences > AutoFill and make sure the checkboxes are selected for each type of data you want to autofill—the two options relevant to iCloud Keychain are “User names and passwords” and “Credit cards.” Then click Passwords at the top and, if the screen says “Safari passwords are locked,” fill in the password for your macOS user account and press Return.
iOS: First tap Settings > Passwords & Accounts > AutoFill Passwords, and make sure AutoFill Passwords is turned on and iCloud Keychain is selected. Then go to Settings > Safari > AutoFill, and turn on the Credit Cards switch.
After you load a login page for which you’ve already stored credentials in your iCloud Keychain, you can do any of the following to fill your credentials:
Choose Edit > AutoFill Form (Mac)
Press ⌘-Shift-A (Mac)
Click or tap in the Username or Password field and then:
Click the credentials you want to use on the pop-up menu that appears (Mac)
Tap the credentials you want to use on the QuickType bar (iOS)
Safari fills in the username and password fields for you—all you need to do then is click or tap the Login (or equivalent) button.
On a Mac, if you’ve stored more than one set of credentials for a site—for example, if you have two different accounts for Google or Twitter—first delete the credentials Safari has autofilled, if any. You can then click in the username field to display a pop-up menu (Figure 20) with your logins; choose the one you want to fill in your credentials.
On an iOS device with iOS 11 or later, websites for which you have multiple sets of credentials show two options on the QuickType bar (Figure 21); tap one of these to fill in both the username and password fields. To use a different set of credentials, tap the key icon on the QuickType bar or the word Passwords to display a popover with all available credentials for that site.
If Safari autofills a set of credentials and it’s not what you want, delete them and try clicking or tapping the username field again. If they still don’t appear (for example, because the domain names don’t match exactly), do the following:
Mac: Click Other Passwords. In the dialog that appears, locate the account you want (manually or using the Search field). Select it and click Fill.
iOS: Tap the key icon on the QuickType bar or the word Passwords and then tap Other Passwords in the popover that appears. Type your passcode or use Touch ID or Face ID when prompted, then locate the account you want (manually or using the Search field) and tap it.
Some websites deliberately block browsers and password managers from saving passwords you enter there, in a misguided attempt at greater security. Safari can either accept or attempt to bypass any site’s restrictions, but unfortunately, you can’t control that behavior.
If you arrive at a login page for which iCloud Keychain does not yet contain your credentials, enter them manually (or with your third-party password manager) and log in. Safari should then display a prompt asking if you want to save the password in your iCloud Keychain. Click or tap Save Password to store your credentials for that site.
If you already have credentials stored for the site and you want to store an additional username/password combination, first delete the credentials Safari has autofilled. Then enter the new credentials, log in, and click or tap Save Password when prompted.
When you’re asked to register on a website and create a new password, iCloud Keychain can generate one for you and store it automatically. Follow these steps:
Make sure the Password field is completely empty.
Click or tap in the field. The next steps vary by platform.
On a Mac:
Click the key icon and choose Suggest New Password from the pop-up menu.
Safari fills in a suggested password (highlighted in yellow), but displays only the first few characters, along with the label “Strong Password.” A popover with additional details may appear on its own; if not, click the field to display it (Figure 22).
To use Safari’s suggested password (without even seeing the whole thing), click Use Strong Password; to fill in your own password (perhaps using a third-party password generator) instead, click Don’t Use.
On an iOS device:
Tap the key icon on the QuickType bar or the word Passwords, and then tap Suggest New Password.
Safari displays a suggested password in a popover. To use it, tap Use Suggested Password; to fill in your own password (perhaps using a third-party password generator) instead, tap Cancel. If you’ve tapped Use Suggested Password, Safari fills it in.
Fill in any remaining fields (such as Username) and submit the form.
When you submit the form, Safari saves your credentials for the site without any additional steps.
Credit cards work much like passwords—if you type or paste a credit card number into a blank field (along with its expiration date) and submit the form, Safari prompts you to save the credit card number in your iCloud Keychain. (Remember, it doesn’t save or store the CVV number from the back of your credit card.)
When it’s time to fill in a stored credit card number, click or tap in the Credit Card Number field and choose the desired credit card from the pop-up menu—or from the QuickType bar in iOS. If you have more than one credit card stored, Safari displays a pop-up menu from which you can choose the one you want to use—just as when filling in your username and password on a site for which you have multiple sets of credentials.
Starting in iOS 11, third-party apps can also access items in your iCloud Keychain. To use this feature in an app, go to the Sign In (or similar) screen. Tap in the username or password field. If iOS can identify which of the credentials in your keychain goes with the app in question, it displays them on the QuickType bar (Figure 23); tap your credentials to fill them in, and then tap Log In (or an equivalent button). If iOS can’t find your credentials, or if the ones it displays are the wrong ones, tap the key icon on the QuickType bar or the word Passwords, and then tap your credentials in the list that appears.
To see what’s in your iCloud Keychain without entering it in a form—or to edit or delete anything from your keychain, you have a few options:
In Safari for Mac, choose Safari > Preferences and click Passwords. If prompted, enter your user account password and press Return. You can then browse or search your web login items. Select an entry to see the password. To remove an item, select it and click Remove. To add a new item, click Add, fill in the fields, and press Return.
In iOS, tap Settings > Passwords & Accounts > Website & App Passwords and enter your passcode (or use Touch ID or Face ID). For credit cards, tap Settings > Safari > Autofill > Saved Credit Cards and then enter your passcode (or use Touch ID or Face ID). You can swipe left on a keychain entry to delete it.
You can also view or edit your passwords in Keychain Access (found in /Applications/Utilities
) by selecting iCloud in the list of keychains in the upper-left corner of the window. (If you don’t see the list of keychains, choose View > Show Keychains.) Keychain Access can also store and display secure notes in your iCloud Keychain, but those are visible only on a Mac, not on an iOS device. Unfortunately, Apple hasn’t improved the awful interface that Keychain Access has had from day one, so I suggest avoiding it if you can.
What if you already use 1Password, LastPass, or another password manager? Does iCloud Keychain replace it?
In a word, no. iCloud Keychain is great for what it does—especially the way it handles Wi-Fi passwords so seamlessly—but third-party managers offer additional features.
For example:
If you need to sync passwords with Windows, Android, or Linux—or with Macs running versions of Mac OS X earlier than Mavericks, or pre-iOS 7 devices—iCloud Keychain won’t help you, but numerous third-party password managers can.
Likewise, iCloud Keychain is currently unavailable in Mac browsers other than Safari, so unless or until such support exists, you’ll need something else if you want to use a different browser.
When iCloud Keychain generates passwords, they’re always exactly 20 characters long, with the form XXXXX-XXXXX-XXXXX
, where each X
is an alphanumeric character. If you want the greater security that comes from a longer or more complex password, a third-party password manager offers more options.
iCloud Keychain doesn’t store or fill the CVV numbers on your credit cards, but most third-party password managers can.
Some password managers, such as 1Password, can store additional types of secure information, including software licenses and even arbitrary documents, in a safely encrypted form. If you need to store more types of information than iCloud Keychain can handle, another app may suit your needs better.
iCloud Keychain offers no way to securely share certain passwords with other people (for example, coworkers or family members), whereas a number of third-party password managers do.
In iOS 12, Apple made it possible for third-party password managers to fill in your credentials in most of the same places that iCloud Keychain can. As a result, it’s now much easier than before to rely on an app like 1Password or LastPass (almost) exclusively. I spell out the details in my TidBITS article Inside iOS 12: Use Third-Party Password Managers to Simplify Logins.
It is nevertheless possible to have both iCloud Keychain and another password manager enabled at the same time. You should, however, be aware of a few issues:
When credentials for a given site are stored both in iCloud Keychain and in another password manager, it’s easy to get confused as to which tool you’re using when filling forms, and you’ll have to put up with extra visual clutter, too.
Because Apple strictly limits access to Keychain data, there’s no easy way to import existing keychain entries into a third-party password manager or vice versa.
Although iCloud Keychain syncs among your devices—and another app may also sync its passwords among devices—iCloud Keychain won’t sync with any third-party password managers. So, for example, if you change a password in 1Password, you’ll have to change it again in iCloud Keychain.
13.59.178.179