top | item 46940388

(no title)

Hi, I'm one of those people.

Welcome to being a human being, where you need dozens of different accounts and passwords and passkeys and authenticators to live in modern society.

Apple passwords just work. They integrate nicely with most websites where I can authenticate using biometrics instead of copy-pasting and leaving my credentials on my clipboard.

And let's be real here, no one else in the industry comes even close to the amount of investment, research, and maintenance of security platforms than Apple. I would not bet against Apple's security failing.

Everything is a tradeoff between convinience and security. I think Apple's password manager is the perfect middleground. I let it generate different passwords for every site, store my passkeys etc.

No one has the time to fully optimize their security footprint. No one. And if you do you're either A) working in a sensitive area that requires it for your job or B) being targeted by state-level threat actors or C) lying. Anything beyond a password manager + 2fa is severe overkill for anyone else.

discuss

notepad0x90|21 days ago

The way apple implemented things is great, no argument there. Others need to tech note. But the same thing could have been implemented without requiring device/iOS lock-in. I don't care to malign apple, but alternatives need to work as well, and as smoothly as apple passwords and passkeys, without the corporate malice.

> I would not bet against Apple's security failing.

I wouldn't either, but now the same tech is going to be used by everyone, and Apple's goal of vendor-lockin succeeds. Their security isn't in question, their malicious and anti-competitive practices are. They are secure, and it works well. You're also tied into their ecosystem, and devices. they collect information that isn't necessary for their products to work well, and securely. You can't fault them for being greedy, they're not particularly worse in that regard, but industry needs to standardize better alternatives that work well, without the whole "you have to trust apple, and it's okay that they lock in people to their ecosystem" angle.

If authentication requires the website/app to demand anything that can only be obtained on an apple device, that is a user hostile and anti-competitive feature. What confounds me is that Apple has a strong user-base, doing this the right way doesn't cost them much. Making a user friendly authentication protocol that works without attestation and hardware-lockin doesn't hurt them. They don't need to play dirty and lockin users, their fanbase is already strong. They're just being greedy for that extra 0.001 increase.

int_19h|18 days ago

Apple Passwords has a Windows app so it's not tied to their hardware nor to their OS.

It doesn't have an Android app, but I'm pretty sure this is solely an anti-competitive measure on their behalf.

digiown|21 days ago

If you have a password manager, 2FA is pointless anyway. Password manager already serves as two factors: possession of the database and the secret to decrypt it. 2FA is a mitigation against people getting pwned by reusing passwords or using bad passwords. Neither of which applies if you use a password manager. You can use the TOTP feature in KeepassXC for when it is useful.

faust201|21 days ago

> 2FA is a mitigation against people getting pwned by reusing passwords or using

Stolen/lost password hashes or some AI based programmer that dumped passwords in plaintext somewhere in a database.

If 2FA is proper even trivial passwords are fine.

hollerith|18 days ago

>I would not bet against Apple's security failing

I.e., you would bet on its failing, which is probably not what you meant to write.

DANmode|20 days ago

Saw a post here last month about an iCloud user losing their entire life, so do with that what you will.

int_19h|18 days ago

Using any cloud storage without local backups is asking for trouble.