Hands-On Apple 223: Level Up Your Passwords Security

You've been there, settling in for an evening of TV only to waste half-the-night scrolling.

Enter Fire TV, entertainment with zero effort required.

Fire TV serves up personalized recommendations from across all your apps.

Not sure what to watch?

Just tell Alexa Plus what you're in the mood for and she'll pull up the perfect recommendation.

Problem solved.

Stop the scroll, start the show.

Find what you're looking for with Fire TV.

It's the Paradise Podcast.

I am your host, Ryan Michelle Batte, with my husband Sterling.

What's up?

Join us here on Hulu and Hulu on Disney Plus, where we'll discuss each episode with the cast

and crew of Paradise.

I'll be getting all the secrets from Dan Fogelman, James Marsden, Shailene Woodley, Julian Nicholson,

and Sterling Helbee Brown.

Paradise, the official podcast, is now streaming.

And stream Paradise on Hulu and Hulu on Disney Plus.

Coming up on hands on Apple, we continue our look at the passwords app and the suggestions I have for you therein.

Stay tuned.

This episode is brought to you by OutSystems, a leading AI development platform for the Enterprise.

Organizations all over the world are creating custom apps and AI agents on the OutSystems platform,

and with good reason.

Build, run, and govern apps and agents on one unified platform,

innovate at the speed of AI without compromising quality or control,

strusted by thousands of enterprises worldwide for mission-critical apps.

Teams of any size and technical depth can use OutSystems to build, deploy,

and manage AI apps and agents quickly and effectively without compromising reliability and security.

Without Systems, you can accelerate ideas from concept to completion.

It's the leading AI development platform that is unified, agile, and enterprise proven,

allowing you to build your agentic future with AI solutions deeply integrated into your architecture.

OutSystems, build your agentic future.

Learn more at outSystems.com slashtwit.

That's outSystems.com slashtwit.

Podcasts you love.

From people you trust.

This is Twitch.

Welcome back or welcome to Hands-On Apple.

If this is your first time, go back at least and watch the last episode of the show.

That is the first of the password apps series that I'm currently doing.

We are taking a look at Apple's built-in passwords app to help you understand how to use the passwords app,

what you need to know about it.

If you were here last time, well, we walked through the passwords app,

what it is, where it came from, how you handle the basics,

and if you did do your homework, well, you already know that you've probably got a lot of passwords.

In fact, you may have gone through and gone as far as to remove some of the junk.

Now that we've got it, you understand it a little bit.

You've cleared things out.

It's time to dig in and take things a step further.

Today we're going to be talking about two-factor authentication, about past keys,

and even tackling the security alerts that Apple has within the passwords app.

Let's dig in.

First and foremost, here we are on macOS, and we are looking at verification codes first.

Otherwise known as TOTP, these time-based, one-time passwords.

Many of you will know that as 2FA or 2-factor authentication,

but the actual thing of having a code that changes every 30 seconds,

that's usually a six-digit code, is itself called a TOTPA, time-based, one-time password.

The way that this works is there's some sort of QR code or code that you copy and paste,

and that will help the algorithm generate a six-digit code that expires after a certain period of time, 30 seconds.

You put that code in and the app knows that the app or the service knows that it's you.

So, when you are creating an account, this is the way to go about it.

And there are a few ways to figure out how to get a QR code added.

The cool thing is, for the most part, your passwords app is going to do a lot of the work for you.

So, on iOS, it can automatically generate these codes on macOS.

It can also do that, excuse me, and it can also auto-fill them.

So, what does that look like?

Well, let's head to the passwords app and see what we have here.

For example, we have an account, Amazon, and right now, while it does have a password,

it does not have a two-factor authentication code.

So, what I have done is I have gone to the Amazon site, I have created an account,

and I want to add two-factor authentication.

This will work whatever site or service you're using so long as the site or service has two-factor authentication.

So, I'll head into the login and security section for Amazon.

And depending on the app, you may be able to tap or click Setup Code

and have it provide this information for you and get you to the right place.

So, let's look at this page.

Here we can see two-step verification is an option.

We're going to choose to turn that on, and we can either use our mobile phone number,

which is what we don't want to do, or use an authenticator app.

We want to do the authenticator app.

Now, up pops a QR code, but here's the problem.

We're on macOS.

How do I get that QR code to work with my password app?

Well, if you right-click on the code, you should see an option that says Setup Verification Code.

Clicking on that then pops up the different options that we have here.

We want to choose the Amazon option and choose Add Code.

And then, once that's done, you'll see that there's a code that appears.

It is automatically using that barcode.

And now, I have a little prompt that says, do you want to enter the verification code?

Once I've done that, then it goes through the process and properly displays the code for me.

Now, depending on the site, you may have an attempt or a change to the way that the site is looking at your security.

So, for example, Amazon did send a code to my email to make sure that that was indeed me,

that did properly allow me to set up two-step verification.

So, that is now set up.

And if I were to log out, which I want to do, of this account, we'll head back to macOS.

And I can see that I've got my Amazon account.

All I have to do is put my finger on the touch ID to authenticate.

It automatically types in the username, it puts in the password, and now it asks for the OTP.

And now, I have access to my Amazon account.

So, setting up two-factor codes very easy to do, it will automatically fill those for you after you're done.

Now, something important to understand.

If you are moving from another authenticator app to the passwords app,

you may struggle with getting these two-factor authentication codes set up.

So, my recommendation for you is, as you are importing, kind of going step-by-step through the process of making sure that all of your 2FA codes are properly scanned in,

are properly added in, so that you are able to use those.

So, just before deleting all of your codes from a previous app, don't do that.

Save them, get them typed in, make sure they're all there, and then you can go forth.

So, that is two-factor authentication.

We've talked about two-factor authentication for a long time.

It gives you the ability to not only have a password, but if you're password or want to be guessed,

if they don't have access to that special code that is created, then someone who's trying to access your account is still unable to do so.

But there's actually a more secure method, and those are past keys.

And yes, the password's app does support past keys.

So, let's take a look at how that works.

First and foremost, it's important to understand that a past key can replace your password entirely.

You don't have to remember a string of characters.

There's nothing to auto-fill, and instead, your device and the website's server create what is called a key pair.

And the server and your device work together to verify one another and make sure that it is indeed you who's accessing the account.

You do have to have authentication through Face ID or Touch ID or a passcode, but outside of that, there's no verification requirement, and people can't steal these past keys.

Unlike a password, which can be stolen, unlike a six-digit code sense to a phone number, which could be stolen by copying the SIM and being able to access some sort of SIM-jacking attempt.

So, how do we create a past key?

Well, let's head over to macOS again.

Luckily, Amazon has past key support, so we'll go up to our account, and we will head back into login and security, and there's another option here.

It says past key. We choose setup, and we click setup one more time.

This will automatically have the system be notified, letting it know that I'm trying to create a password.

If I tap to authenticate with my finger, it saves that past key to the password's app, and now if I open the password's app, and I look at Amazon,

I can see that not only is the QR code or the two-factor code here, but I also have a past key that was created today.

Here, you can see a past key is here, and it gives a little bit more information about it.

Now, if I go up to my account, and I sign out, I can then go back to Amazon.

And I can sign in, I'll put in my username, hit continue, and now it asks, do you just want to sign in with your past key?

I do so, authenticate with my finger, and I get to skip the password.

I'm back in, no problem.

Now, depending on the site or service, past keys may look different.

In some places, they work as a second factor of authentication, but many of them are trying to be simply just the way that you log in.

So if you are trying to access this device, then or your accounts, make sure you know whether you're going to be needing to use a password or a past key.

If passwords can be disabled in place of past keys, there's a lot to consider when it comes to using past keys as a replacement for passwords.

You want to make sure you have iCloud keychain turned on across devices, because those passwords will sink across devices, which means that when you try to log in on your phone or your iPad, it's also going to work there as well.

This episode is brought to you by Focus Features.

Would you let AI pilot your plane, raise your child, decide your future?

On March 27th, Focus Features presents the AI doc, or how I became an apocalypticist.

Critics and audience said the Sundance and Southwest Film festivals called it, the most urgent movie of our time, the AI doc, or how I became an apocalypticist, rated PG-13, only in theaters March 27th.

Score more with the college branded Venmo debit card and earn up to 5% cash back with Venmo stash.

Got paid back? With the Venmo debit card, you can instantly access your balance and spend on what you want, like game day snacks, gear, tickets, and more.

The more you do, the more cash back you can earn. Plus, there's no monthly fear minimum balance. Sign up now at Venmo.com slash college card.

The Venmo master card is issued by the bank court bank NA, select schools available. Venmo stash terms and exclusions apply at Venmo.me slash stash terms.

Max $100 cash back per month.

So good, so good, so good.

Spring styles are at Nordstrom Rack stores now, and they're up to 60% off.

Stock up and save on rag and bone, made well. Vince, all sings in more of your favorites.

How did I let no rack as a deedus?

Why do we rock for the hottest still?

There's so many good brands.

Join the Nordy Club to unlock exclusive discounts, shop new arrivals first, and more.

Plus, buy online and pick up at your favorite rack store for free. Great brands, great prices. That's why you rack.

So that's a look at the pass keys and two facts, authentication codes or TOTP codes.

There's one last thing that I want to talk about, and that is security recommendations.

So Apple has some different security recommendations that it will give you based on what is going on with your passwords.

So what happens? Well, the app is going to look at your passwords, and it's going to mark them in some different ways.

It may mark them as reused, it may mark them as weak, it may mark them as leaked.

If it marks them as reused, you can guess what that means.

It means that it's shaming you for using the same password on different sites.

So if you use the same password for more than one service, you are making yourself vulnerable

because the weakest of those services, security wise, is the one that will be responsible for you having that password

that you've then used on more sites leaked and available for people to take and make use of.

Passwords marked as weak are passwords that can be guessed by an attacker, either they themselves or through the use of a computer program

which can crack passwords.

And then passwords marked as leaked are only there if you turn on the password monitoring feature.

And what happens is the system will listen for services that provide data on whether your passwords and your information

have been leaked to the web somehow, and then let you know that that's the case.

Now, because this account doesn't have many passwords in it, I currently don't have any security recommendations.

It is likely that you will have at least one.

Follow through that process to understand what you need to do when it comes to fixing these passwords.

So if you have a compromised password, then those have appeared in known data breaches.

It doesn't necessarily mean that your account itself was breached, but the password you're using is shown up and that therefore it's vulnerable.

Reused passwords, obviously, ones breached, they're all breached.

And then weak passwords just way too easy to guess.

Now, I recommend not trying to fix everything in one sitting.

It takes a long time, you might get burned out, so prioritize.

Compromised passwords are incredibly important, particularly if they have anything to do with financial information.

So check throughout the whole thing your security recommendations for any banking, credit cards, investment accounts,

and email because that is one of the way that people can get your password or access to your other accounts.

They get your email account username and password.

They're in for the, I forgot my password option across sites.

After that, then go with the reused passwords that are on important accounts.

And then those weak passwords that are on low stakes accounts.

So you know, you one time signed into a site needed to create an account.

They can wait, but then you know, clean them up over time.

What's great is that the passwords app does help you.

You can tap on a flagged entry, which will give you a change password button that takes you directly to the site.

You log in, you navigate to the password change screen, then the passwords app is going to suggest a new strong password.

You'll save it, and then it's going to be updated in the passwords app automatically.

So if you are struggling, this will help you get to where you need to get.

And I think it's more of kind of a checklist feature, right?

So here's my recommendation for you.

Check this security category, say once a month, such as a reminder, or perhaps it's every time you open this app.

Think of it like checking your credit score.

It's a quick glance to see if anything new is popped up.

You don't have to regular, you don't have to check it every single day.

But regularly checking in is of just a healthy habit.

And then it's important to note that the app does proactively notify you if a saved password shows up in a new breach.

So in that case, you don't have to be checking it to know that that's going on.

So we've taken a look at all of the sort of additional security that you can do for your passwords.

Here is your homework.

Try to set up if you have not yet done so, at least one verification code in the passwords app.

You can pick an account you log into often so that you know, you'll actually experience this autofill workflow.

You'll regularly use it.

It'll also give you that warm fuzzy feeling of knowing that you're protecting your account.

Go ahead and create a pass key on a site that supports it.

If you have a Google account, that's a great place to start.

It's very easy to do.

And Google makes a pass keys truly part of the login experience.

And then this is the big one.

Please open that security category, fix two to three flagged passwords.

And of course, start with those most important accounts.

So now, if you've done these things, you have verification codes that are living right alongside your passwords with autofill handling the heavy lifting.

You've seen how pass keys work.

They are being touted as the future of logging in.

We'll see if that continues to be the case.

And you've started chipping away at that list of security alerts.

Next episode, we're covering some of the more advanced features within the passwords app, including shared password groups.

The limitations you should know about and the big question, which is, is that password app enough?

Or do you still need a third-party password manager?

We'll check in on that next time on Hands-On Apple.

But until then, I've been Micah Sargent.

And I thank you so much for tuning in.

Bye-bye.

If you enjoyed this, well, there's something else you might like.

If you want the big picture on what's happening in tech, subscribe to This Weekend Tech.

Leo Laport on the panel brings you the story shaping the industry every Sunday.

You