As OTP codes are built into the new "Passwords" app (and which iOS already supported though tucked away in settings), is the main reason for this the widgets?
Yep more or less, I liked the idea of having the “Passwords” contain my OTPs (didn’t mind about the threat model for having OTPs and Passwords in the same place), but I didn’t like the UX of the app and having to open it and navigate to my password entry to get the code.
So this app gives you a similar security model, but with widgets and a simpler interface. The ability to integrate with other native iOS feature like shortcuts also sounds fun to me.
Plus I could build it, and building things that I use is just fun.
Isn't the point of OTP is to keep it on one device only (ideally not the primary one?) If someone gets access to iCloud then they will automatically be able to read all OTP passwords?
Yes you’re right, ideally OTPs should be on a single device you control (to fulfil the “something you have” factor of authentication). However, for me personally the syncing of OTPs is basically a requirement to ensure you don’t lose access to accounts when transitioning between devices, which happens often with phones.
This problem is best solved if you use something like a Yubikey which gives you a dedicated device for your OTPs.
If someone gains access to your iCloud Keychain (assuming you have it turned on, if you don’t then no syncing occurs) then yes they’ll be able to access encrypted OTP secrets and metadata, from which they could calculate your OTP. If they can decrypt the data, then yes your OTP will be compromised. In my eyes this issue exists for most of the popular OTP apps out there, and so I prefer to trust one service (Keychain) rather than multiple. That’s just me though.
For me, the usability and availability of my OTPs is more important than keeping them on an isolated device.
I hate Authy since the day CTRL+C stopped working. That was 10 years ago or so? Why can’t I copy the code via a shortcut? Why do you force me to move my mouse and press the copy button?
I still use Authy but I don’t keep track of it now and I’d switch in a heartbeat.
Now it’s an iOS app running inside MacOS?
Sometimes when TouchID doesn’t work (or it just doesn’t offer it after a timeout) I need to enter a PIN on a numpad to unlock Authy.
Guess what? It doesn’t register my keyboard, so I have to use my mouse again to click some buttons on the numpad.
Completely agreed, it’s very frustrating when a once useful app becomes sidelined and is difficult to migrate off of.
Speaking of shortcuts, that’s actually been on my list of things to implement, so if you’re interested check back at the end of next week for the next app update.
As OTP codes are built into the new "Passwords" app (and which iOS already supported though tucked away in settings), is the main reason for this the widgets?
Yep more or less, I liked the idea of having the “Passwords” contain my OTPs (didn’t mind about the threat model for having OTPs and Passwords in the same place), but I didn’t like the UX of the app and having to open it and navigate to my password entry to get the code.
So this app gives you a similar security model, but with widgets and a simpler interface. The ability to integrate with other native iOS feature like shortcuts also sounds fun to me.
Plus I could build it, and building things that I use is just fun.
Isn't the point of OTP is to keep it on one device only (ideally not the primary one?) If someone gets access to iCloud then they will automatically be able to read all OTP passwords?
Yes you’re right, ideally OTPs should be on a single device you control (to fulfil the “something you have” factor of authentication). However, for me personally the syncing of OTPs is basically a requirement to ensure you don’t lose access to accounts when transitioning between devices, which happens often with phones.
This problem is best solved if you use something like a Yubikey which gives you a dedicated device for your OTPs.
If someone gains access to your iCloud Keychain (assuming you have it turned on, if you don’t then no syncing occurs) then yes they’ll be able to access encrypted OTP secrets and metadata, from which they could calculate your OTP. If they can decrypt the data, then yes your OTP will be compromised. In my eyes this issue exists for most of the popular OTP apps out there, and so I prefer to trust one service (Keychain) rather than multiple. That’s just me though.
For me, the usability and availability of my OTPs is more important than keeping them on an isolated device.
I hate Authy since the day CTRL+C stopped working. That was 10 years ago or so? Why can’t I copy the code via a shortcut? Why do you force me to move my mouse and press the copy button?
I still use Authy but I don’t keep track of it now and I’d switch in a heartbeat.
Now it’s an iOS app running inside MacOS?
Sometimes when TouchID doesn’t work (or it just doesn’t offer it after a timeout) I need to enter a PIN on a numpad to unlock Authy.
Guess what? It doesn’t register my keyboard, so I have to use my mouse again to click some buttons on the numpad.
Seriously?!
Completely agreed, it’s very frustrating when a once useful app becomes sidelined and is difficult to migrate off of.
Speaking of shortcuts, that’s actually been on my list of things to implement, so if you’re interested check back at the end of next week for the next app update.