profile 1

What types of passwords, tokens and keys can Apple manage for you?


With the January 2023 addition of support in its current operating systems for hardware security keys to protect your Apple ID, Apple has expanded to four the number of secret types it can generate, support, or manage for you.

This can get confusing. A colleague only recently discovered that Apple supports tracking codes directly in Safari when asked by their operating system to use Apple’s system when updating account security on a website.

As of March 2023, here are the secrets Apple can work with for you:

Passwords: Apple’s built-in password management system can be accessed via Settings > Passwords in iOS/iPadOS and via System Preferences > Passwords (Montery), System settings > Passwords (Venture), or Safari > Preferences > Passwords (different versions). Apple lets you generate, store, and recover passwords in Safari and apps that use the WebKit view. You can also use the Password interface to manually create password entries, add notes, and copy stored passwords and account IDs.
Second factor codes: Apple calls this type of second factor authentication (2FA) token a verification code. More technically, they are a time-based one-time password (TOTP). When you sign up for 2FA on a website, you’re often given the option of an authentication or verification code. (See this column for details on using this approach.) Apple added this option in iOS 15, iPadOS 15, and Safari 15 for macOS (Monterey and later).
Access keys: A new, industry-wide approach to security, called a passkey, has a more complicated foundation than a password and second-factor passcode, but is more secure and reliable. (I explained it in full in this column.) You don’t enter a password but you confirm a passkey with Touch ID, Face ID, or a device passcode or macOS account password. Apple has added passkey support to iOS 16, iPadOS 16, and macOS 13 Ventura, although a working preview form appeared in the previous version of each. You sign up for a website to use passkeys, just like two-factor authentication. A unique set of encryption information is created for each login, preventing hijacking and impersonation. Few sites support them yet, but with Google and Microsoft on board as well, they are expected to increase significantly in 2023.
Hardware security keys for web accesses: Dating back a few years, an industry consortium (the one behind passkeys as well) created a standard for hardware security keys:such as those made by Yubico– which can connect to a mobile device, desktop or laptop via USB, Lightning or NFC. The dongle manages the login process. This hardware approach, called WebAuthn, has essentially evolved into a passkey, though both forms have their uses. When some websites ask you to enter a hardware key, Apple also offers the option to use a passkey. The big difference? Passkeys are synced between your devices; a hardware security key is a physical item.
Hardware security keys for Apple IDs: Apple has improved Apple ID logins by allowing you to use hardware security keys starting in January 2023, although this requires you to update with all the latest versions of its operating systems (iOS, iPadOS, macOS, tvOS, watchOS and the HomePod’s operating system) to avoid being locked out. Apple requires the registration of two security keys for added security in case one is lost or damaged.

Seen another way:

A password it’s something you can remember or have a password manager compile for you, like Apple’s built-in support. A second factor authentication code OR passkey it requires you to have one of your devices handy and use it to log in directly or approve a login on some other piece of hardware you’re using. A hardware security key it requires that you have the key in hand and need to insert it into a device you’re using to log in, such as setting up a new iPhone.

This Mac 911 article is in response to a question submitted by Macworld reader Brett.

Ask Mac 911

We’ve compiled a list of the questions we get asked most frequently, along with answers and column links: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Send yours to [email protected], including screenshots if applicable, and whether you want your full name to be used. Not all questions will be answered, we do not respond to emails and cannot provide direct troubleshooting advice.