The Secrets App Makes a Good iCloud Passwords Companion and Is Free Today Thanks to Indie App Santa
If you, like me, are considering a switch from 1Password to iCloud Passwords & Keychain, you should definitely check out Indie App Santa right now. Todayâs deal (Friday, December 29) is a FREE $80 (see update below) one-time lifetime unlock for the Secrets app. The skinny: Its feature set, which includes shared vaults, usually goes for around $100. Todayâs discounted unlock works across iPhone, iPad, and Mac, plus itâs available to the other members of your Family Sharing group, so only one of you needs to go get it and do the in-app âpurchaseâ right now.
You might be asking, âIf youâre switching over to iCloud Passwords, why are you recommending that I download a second password manager app?â
Great question! Itâs because iCloud Passwords doesnât allow for website-less logins, or other random sensitive info like bank account numbers, licenses, and other stuff that you probably need easy access to but still want to be secured. For the past few months, Iâve been saving these items to an Apple Note. But there are several downsides to that method:
- No quick-copy function.
- Youâll want to have that note locked for extra securityâŚ
- But locking it prevents it from being shared with a spouse or other trusted partner.
- And, more troubling because of recent revelations regarding your iPhoneâs passcode, you donât need biometrics (Face ID or Touch ID) to view the note â your phoneâs passcode will unlock it as well.
A Sidebar on Why Having a Biometric Authentication-Only Option Is Crucial These Days
You might not realize it, but your passcode is the primary unlocking mechanism to your phone. Not Face ID or Touch ID, which you use more often, but the 4+ digit passcode (or alphanumerical password if you set that up). Itâs required when your phone restarts, for example. And it works as the failsafe when Face or Touch ID doesnât unlock for some reason. Thatâs all well and good, but passcodes are easy to steal and fingerprints and 3D scans of your face are not.
If you donât know why this matters, I encourage you to read Joanna Stern and Nicole Nguyenâs reporting for the Wall Street Journal (News+ link) concerning how bad actors are using social engineering to learn your phoneâs passcode before stealing it from you. Itâs not as dramatic as an interrogation and a mugging. No, this typically happens at a bar or somewhere they can get buddy-buddy with you and then offer to take your group photo or connect on social media. But â ah shoot â your phone is locked so they canât get the shot. You willingly offer up your passcode because, hey, youâre never going to see them again so what could it hurt? But then, later on, they pickpocket you and now they have both physical access to your phone and your passcode.
This sounds bad because now they can look at nearly anything on your phone including private photos, passwords, banking apps, peer-to-peer payment apps, and more. But in fact, itâs worse. Because so many people forget their critical Apple ID password, Apple has made it possible for you to reset that password with only your iPhoneâs passcode. So an enterprising crook can go in and change that password, effectively stealing not just your physical phone, but everything associated with your Apple ID. Messages gone. Photos gone. iCloud backups gone. Apps and purchased media gone. And no way to get it back.
[Stern recently did a follow-up on this report by interviewing a man convicted of this very crime.]
The good news is that Apple is going to introduce a new (optional) feature called Stolen Device Protection with the upcoming iOS 17.3 software release. With Stolen Device Protection turned on, there will be additional safeguards to prevent the passcode from having so much power. Your iCloud Keychain passwords will require Face ID or Touch ID to be viewed â no passcode failsafe. And, crucially, your Apple ID password will also require two biometric unlocks with at least an hour-long buffer between them.
Apple has done a thorough job thinking through the threat models and I think theyâve come up with a reasonable and fairly elegant solution. But Iâm left with one particular worry:
Since iCloud Passwords doesnât offer a way to store non-website credentials, where are people putting their bank account numbers, their license numbers, their Social Security numbers, and their credit card numbers?
My guess? Probably in Apple Notes which, as we have already established, allows for a passcode override if Face/Touch ID doesnât work. And thatâs if the user ever bothered to lock the individual note to begin with!
I donât believe that iOS 17.3 changes any behavior in Notes, but you can bet that Iâll be checking when that update is released.
Keep it Secret, Keep it Safe
All of that is to say, Iâm really glad that with the Secrets app, you can require biometric authentication to unlock the app and you donât have to allow a passcode as a backup.
Iâve happily moved over the data that I was storing in an Apple Note (one that I had titled âSecretsâ, funnily enough) into the Secrets app. Secrets, while not the most polished app, appears to be a solid contender in the password manager space. It at least checks off all the shortcomings of using an Apple Note:
â
You can quick-copy items from the list view (long press to get a context menu) or in the item view (tap on the field to reveal a âCopyâ button).
â
The app is locked by default, you can choose to have it unlock with biometrics only (or with a passcode or passphrase if you want â but donât), and how quickly it locks again when you exit the app.
â
Vaults can be shared (and making changes to a vaultâs settings requires an additional unlock) so you can make different buckets to share items with family, friends, colleagues, etc.
â
And the data you save is all encrypted and synced via iCloud. No third-party syncing system is required. Not that third parties do a bad job as a rule, but I trust Apple to have top-notch resources and engineers to secure my data.
One More Unresolved Threat
There is, unfortunately, at least one more way that criminals could still really screw you over if they have access to your phone and passcode: Too many apps donât offer any sort of authentication protection, and those that do almost always allow for your passcode to work in place of biometrics. For example, if I cover up my face and open up my bank app, after a few fails it just offers to let me type in my phoneâs passcode to open it.
When Face ID fails for PayPal, it lets you log in using the PayPal username and password, which can be accessed with your phoneâs passcode right now, but come iOS 17.3, will be fenced off by biometrics specifically. đ
Iâll give kudos to both the Cash App and Venmo, which allows you to set a separate 4-digit PIN to use in case of biometric failure. So donât set it the same as your phoneâs passcode! Iâve gone ahead and made new ones for them and saved them to â you guessed it â Secrets.
Iâm focusing on financial apps here because they are the most obvious way that a criminal is probably going to try to continue to steal from you. Theyâll empty your bank account to theirs. Theyâll take your account numbers to make purchases. Theyâll request money from your friends.
But honestly, I think Apple should cover all their bases here and offer a way to lock access to any app, system-wide, behind discreet authentication. They can even follow Secretsâ lead here by giving users the option to lock an app behind biometrics and/or a passcode/passphrase. And you know what? Build in those same locking delay options we saw above as well.
I should be able to prevent anyone from freely jumping into my photos app, my notes app, SnapChat, Discord, or anything that they could, intentionally or not, do some damage if I hand them my phone. And I shouldnât have to wait for every app developer to build the feature and then go hunting for it in every app. Having a way to lock the important ones right from the Settings app is the way it should work. And I happen to know such a feature would be a godsend for parents of young children. A few years ago, my sister specifically asked me if I knew how to lock apps because when she handed her phone or iPad over to her kids for a little screen time they were deleting things by mistake or getting into ones that they shouldnât.
Apple has the opportunity to solve this headache in one fell swoop. Sure, there will be edge cases to work around â like what happens when someone locks themselves out of every app by mistake? â but I believe Appleâs engineers are up for the challenge. Theyâve proven with their approach to Stolen Device Protection that they can come up with a solution that balances security and convenience for most people, most of the time. The fact that they addressed passcode theft so head-on gives me hope that attending to these related problems is next on the to-do list.
In the meantime, donât forget to download and unlock Secrets before the Indie App Santa discount expires in just a few hours. I think youâll be glad that you did.
Update: It appears that the Secrets team changed their discount at some point today. What was a 100% discount on the Editing + Sharing purchase is now a $20 discount, bringing the one-time purchase price down to $80. It could be worth that $80 to pay only once (as opposed to 1Passwordâs $60 per year for a shared plan), but $80 is steep to jump in on a whim.
Sorry about that. đ