Hands-On Windows 181: A First Look at Store CLI

Coming up on hands-on Apple, we continue our look at the passwords app and the suggestions

I have for you therein. Stay tuned.

This episode is brought to you by OutSystems, a leading AI development platform for the enterprise.

Organizations all over the world are creating custom apps and AI agents on the OutSystems platform

and with good reason. Build, run, and govern apps and agents on one unified platform,

innovate at the speed of AI without compromising quality or control,

strusted by thousands of enterprises worldwide for mission-critical apps.

Teams of any size and technical depth can use OutSystems to build, deploy, and manage AI apps

and agents quickly and effectively without compromising reliability and security.

Without systems, you can accelerate ideas from concept to completion.

It's the leading AI development platform that is unified, agile, and enterprise-proven,

allowing you to build your agentic future with AI solutions deeply integrated into your architecture.

OutSystems, build your agentic future. Learn more at OutSystems.com-slashtwitt.

That's OutSystems.com-slashtwitt.

Podcasts you love. From people you trust.

This is Twitt.

Welcome back or welcome to Hands-On Apple. If this is your first time, go back at least

and watch the last episode of the show. That is the first of the password apps series that I'm

currently doing. We are taking a look at Apple's built-in passwords app to help you understand how

to use the passwords app, what you need to know about it. Now, if you were here last time,

well, we walked through the passwords app, what it is, where it came from, how you handled

the basics, and if you did do your homework, well, you already know that you've probably got a

lot of passwords. In fact, you may have gone through and gone as far as to remove some of the

junk. Now that we've got it, you understand it a little bit. You've cleared things out.

It's time to dig in and take things a step further. So today we're going to be talking about two

factor authentication, about pass keys, and even tackling the security alerts that Apple has within

the passwords app. So let's dig in. First and foremost, here we are on macOS and we are looking

at verification codes first. Otherwise known as TOTP, these time-based one-time passwords.

Many of you will know that as 2FA or 2-factor authentication, but the actual thing of having a

code that changes every 30 seconds, it's usually a 6-digit code, is itself called a TOTP, a time-based

one-time password. The way that this works is there's some sort of QR code or code that you

copy and paste, and that will help the algorithm generate a 6-digit code that expires after a certain

period of time, 30 seconds. You put that code in and the app knows that the app of the service

knows that it's you. So when you are creating an account, this is the way to go about it, and there

are a few ways to figure out how to get a QR code added. The cool thing is, for the most part,

your password's app is going to do a lot of the work for you. So on iOS, it can automatically

generate these codes, and macOS can also do that. Excuse me, and it can also auto-fill them.

So what does that look like? Well, let's head to the passwords app and see what we have here. For

example, we have an account Amazon, and right now, while it does have a password, it does not have

a 2-factor authentication code. So what I have done is I have gone to the Amazon site, I've created

an account, and I want to add 2-factor authentication. This will work whatever site or service you're

using, so long as the site or service has 2-factor authentication. So I'll head into the login

and security section for Amazon, and depending on the app, you may be able to tap or click set up

code and have it provide this information for you and get you to the right place. So let's look at

this page. Here we can see 2-step verification is an option. We're going to choose to turn that on,

and we can either use our mobile phone number, which is what we don't want to do, or use an

authenticator app. We want to do the authenticator app. Now, up pops a QR code, but here's the problem.

We're on macOS. How do I get that QR code to work with my password app? Well, if you right click

on the code, you should see an option that says set up verification code. Clicking on that,

then pops up the different options that we have here. We want to choose the Amazon option and choose

add code, and then once that's done, you'll see that there's a code that appears. It is automatically

using that barcode, and now I have a little prompt that says, do you want to enter the verification

code? Once I've done that, then it goes through the process and properly displays the code for me.

Now, depending on the site, you may have an attempt or a change to the way that the site is

looking at your security. So, for example, Amazon did send a code to my email to make sure that

that was indeed me, that did properly allow me to set up two-step verification. So,

that is now set up, and if I were to log out, which I want to do, of this account, we'll head back

to macOS, and I can see that I've got my Amazon account. All I have to do is put my finger on the

touch ID to authenticate. It automatically types in the username, it puts in the password,

and now it asks for the OTP, and now I have access to my Amazon account. So, setting up two-factor

codes very easy to do, it will automatically fill those for you after you're done. Now,

something important to understand. If you are moving from another authenticator app to the

passwords app, you may struggle with getting these two-factor authentication codes set up. So,

my recommendation for you is, as you are importing, kind of going step-by-step through the process

of making sure that all of your 2FA codes are properly scanned in, are properly added in,

so that you are able to use those. So, just before deleting all of your codes from a previous app,

don't do that. Save them, get them typed in, make sure they're all there, and then you can go

forth. So, that is two-factor authentication. We've talked about two-factor authentication for a

long time. It gives you the ability to not only have a password, but if your password were to be

guessed, if they don't have access to that special code that is created, then someone who's trying

to access your account is still unable to do so. But there's actually a more secure method,

and those are past keys. And yes, the password's app does support past keys. So, let's take a look

at how that works. First and foremost, it's important to understand that a past key can replace

your password entirely. You don't have to remember a string of characters, there's nothing to auto-fill,

and instead, your device and the website's server create what is called a key pair. And the server

and your device work together to verify one another and make sure that it is indeed you who's

accessing the account. You do have to have authentication through Face ID or Touch ID or a past code,

but outside of that, there's no verification requirement, and people can't steal these past keys

unlike a password, which can be stolen, unlike a six-digit code sense to a phone number, which could

be stolen by copying the SIM and being able to access some sort of SIM-jacking attempt.

So, how do we create a past key? Well, let's head over to macOS again. Luckily, Amazon has past key

support, so we'll go up to our account, and we will head back into login and security, and there's

another option here. It says past key. We choose setup, and we click setup one more time.

This will automatically have the system be notified, letting it know that I'm trying to create a

password. If I tap to authenticate with my finger, it saves that past key to the password's app,

and now if I open the password's app, and I look at Amazon, I can see that not only

is the QR code or the two-factor code here, but I also have a past key that was created today.

Here you can see a past key is here, and it gives a little bit more information about it.

Now, if I go up to my account and I sign out, I can then go back to Amazon, whoops,

and I can sign in, I'll put in my username, hit continue, and now it asks, do you just want to

sign in with your past key? I do so. Authenticate with my finger, and I get to skip the password.

I'm back in, no problem. Now, depending on the cider service, past keys may look different.

In some places, they work as a second factor of authentication, but many of them are trying

to be simply just the way that you log in. If you are trying to access this device, then

or your accounts, make sure you know whether you're going to be needing to use a password or a

past key, and if passwords can be disabled in place of past keys, there's a lot to consider

when it comes to using past keys as a replacement for passwords. You want to make sure you have

iCloud keychain turned on across devices because those passwords will sync across devices,

which means that when you try to log in on your phone or your iPad, it's also going to work there

as well. That's a look at the past keys and two-factor authentication codes or TOTP codes.

There's one last thing that I want to talk about, and that is security recommendations.

So Apple has some different security recommendations that it will give you based on what

is going on with your passwords. So what happens? Well, the app is going to look at your passwords,

and it's going to mark them in some different ways. It may mark them as reused, it may mark them as

weak, it may mark them as leaked. If it marks them as reused, you can guess what that means.

It means that it's shaming you for using the same password on different sites. So if you use

the same password for more than one service, you are making yourself vulnerable because the weakest

of those services, security wise, is the one that will be responsible for you having that password

that you've then used on more sites leaked and available for people to take and make use of.

Passwords marked as weak are passwords that can be guessed by an attacker, either they themselves

or through the use of a computer program, which can crack passwords. And then passwords marked

as leaked are only there if you turn on the password monitoring feature. And what happens is

the system will listen for services that provide data on whether your passwords

and your information have been leaked to the web somehow, and then let you know that that's the case.

Now because this account doesn't have many passwords in it, I currently don't have any security

recommendations. It is likely that you will have at least one. Follow through that process to understand

what you need to do when it comes to fixing these passwords. So if you have a compromised password,

then those have appeared in known data breaches. It doesn't necessarily mean that your account itself

was breached, but the password you're using is shown up, and that therefore it's vulnerable.

Reused passwords, obviously, ones breached, they're all breached, and then weak passwords,

just way too easy to guess. Now, I recommend not trying to fix everything in one sitting. It is,

it takes a long time. You might get burned out. So prioritize compromised passwords are

incredibly important, particularly if they have anything to do with financial information. So check

throughout the whole thing, your security recommendations for any banking, credit cards,

investment accounts, and email because that is one of the way that people can get your password

or access to your other accounts. They get your email account, username and password. They're in

for the, I forgot my password option across sites. After that, then go with the reused passwords

that are on important accounts, and then those weak passwords that are on low-stakes accounts,

so you know, you one time signed into a site and needed to create an account. They can wait,

but then, you know, clean them up over time. What's great is that the password app does help you.

You can tap on a flagged entry, which will give you a change password button that takes you

directly to the site. You log in, you navigate to the password change screen, then the password

app is going to suggest a new strong password. You'll save it, and then it's going to be updated

in the password's app automatically. So if you are struggling, this will help you get to where

you need to get, and I think it's more of kind of a checklist feature, right? So here's my

recommendation for you. Check this security category, say once a month, such as a reminder,

or perhaps it's every time you open this app. Think of it like checking your credit score. It's

a quick glance to see if anything new is popped up. You don't have to regular, you don't have to

check it every single day, but regularly checking in is just a healthy habit. And then it's important

to note that the app does proactively notify you if a saved password shows up in a new breach.

So in that case, you don't have to be checking it to know that that's going on.

So we've taken a look at all of the sort of additional security that you can do for your passwords.

Here is your homework. Try to set up if you have not yet done so, at least one verification code

in the Passwords app. You can pick an account you log into often so that you'll actually experience

this auto-fill workflow. You'll regularly use it. It'll also give you that warm fuzzy feeling of

knowing that you're protecting your account. Go ahead and create a pass key on a site that supports it.

If you have a Google account, that's a great place to start. It's very easy to do, and Google makes

pass keys truly part of the login experience. And then this is the big one. Please open that

security category. Fix two to three flagged passwords. And of course, start with those most

important accounts. So now, if you've done these things, you have verification codes that are living

right alongside your passwords with auto-fill handling the heavy lifting. You've seen how pass keys work.

They are being touted as the future of logging in. We'll see if that continues to be the case.

And you've started chipping away at that list of security alerts. Next episode, we're covering

some of the more advanced features within the passwords app, including shared password groups.

The limitations you should know about and the big question, which is, is that password app enough?

Or do you still need a third-party password manager? We'll check in on that next time on Hands

on Apple. But until then, I've been Micah Sargent, and I thank you so much for tuning in. Bye-bye.

If you enjoyed this, well, there's something else you might like. If you want the big picture on

what's happening in tech, subscribe to This Weekend Tech. Leo Laport on the panel

bringing you the stories shaping the industry every Sunday.