Secrets 4.2: Adding support for passkeys
Secrets 4.2 is out and with it comes support for passkeys using the native Password AutoFill feature on macOS 14 and iOS 17.
If you're still on Secrets 3 read to the end to find out how you can upgrade at a discount!
Passkeys
A lot has been written on passkeys so I'm not going to elongate here.
Suffice to say they are like a next-generation "password". Signing in into websites and apps becomes even easier and extra secure. Unlike traditional passwords, passkeys rely on public-key cryptography, making them resistant to phishing attacks and consistently robust. You'll never have to "remember" or reuse a passkey. And there's no such thing as a weak passkey.
But if you're using a password manager like Secrets, you're already using strong unique passwords that you don't have to remember 😉. That's the whole point of a password manager! Protecting yourself from the problems of password-based authentication. So what's in it for you?
Well, passkeys are considerable more secure since they never have to leave your device. And because there's a standard API for signing in and signing up with a passkey, the experience should work everywhere. Whereas when using passwords, web developers can be very creative with their sign in/up forms, making it harder for password managers to detect and fill these consistently.
Security-wise there's also a big incentive to adopt passkeys on the server side. They are inherently more secure and less likely to be exploited in case of security breaches. I expect the adoption to grow slowly but steadily. Using Secrets means you're ready for this transition.
Password AutoFill
This update adopts the new API on iOS 17 and macOS 14 made available specifically for password managers apps. This means you can store and use passkeys in Secrets with Safari and other apps on both iOS and macOS.
To try them out, make sure you have Secrets enabled for Password AutoFill on either macOS and iOS. You can search for "Password AutoFill" on your device's Settings to check. Then go to a passkey-enabled website in Safari, sign up using a passkey or add a passkey-based authentication method to your account. Safari will present a native UI asking you if you want to create a passkey with Secrets!
Safari's UI for creating a passkey on macOS.
And signing in is very similar to how you'd sign in with a password using the native Password AutoFill.
Safari's context menu suggesting a passkey on macOS.
Note: A couple of caveats regarding the current iteration of passkey support on macOS/iOS:
- You need to have QuickType/suggestions enabled for Password AutoFill in Secrets's settings for passkeys to work as Apple doesn't provide a way to summon Secrets otherwise.
- On macOS there's a bug that, sometimes, will prevent the native AutoFill window over Safari from being dismissed.
Both of these have been reported to Apple.
Browser extensions
Support for passkeys in the Secrets browser extension will be made available in the future. But fear not, both Firefox and Chrome can display a standard QR Code for cross-platform authentication.
In practice this means you can authenticate using passkeys on Firefox and Chrome running on your Mac by scanning a QR Code on your iPhone where Secrets is also installed. If you're familiar with Secrets's Remote Access feature, the flow is almost identical!
Upgrading from Secrets 3
If you're still running Secrets 3, now would be a great time to upgrade! Secrets upgrade pricing is at 50% off until the end of March! Simply install Secrets 4 on a device where you have Secrets 3 installed (with the Premium purchase) and open the Store section to see the discount.