A few weeks back, a friend of mine called me to ask my advice. “I got a note from Facebook,” they said, as all nightmare emails start, “that my account had been locked.”
Hooboy. As “The Tech Friend,” I have told people in my life that if they hit something like this and want help, I will always provide advice. The account in question was locked by Facebook security, it wasn’t a critical path to their life, and so we got together this weekend to look at their security.
They were in better shape than I expected, or had feared, and we got their Facebook account into a state where Facebook could recover it for them, but we took the opportunity to review how they were authenticating to the most important accounts in their life.
My immediate thought — working where I work, doing what I do — came down to how much security were they using to login to their various accounts. Where else could they be vulnerable to an old password? Where did they need MFA?
There was a time — not long ago! — where that would’ve been a major excursion through their digital life, and we’d have lost a whole day to it. The advances that Apple has made in this kind of user-focused security is amazing. My friend is an iPad and iPhone user, not a Mac user, so we focused on Safari on those devices. I wanted to highlight a few things that have come out over the last few years that you might’ve missed if you’re living on Authy/Google Authenticator, and a password manager that’s separate.
Native MFA
If you’re using a code generator app like Authy or Google Authenticator, you may have solved this problem for yourself a long time ago. New to the space, we looked at setting this up directly in passwords, and man, that is a slick and easy experience. In the Passwords section of Settings, you can add a code generator to any secret either by scanning a QR code or by entering the seed key. We were able to quickly add a code generator for her Gmail account*, as well as for her banking apps, in just a few minutes.
* You’re going to say something about Passkeys. Wait for it.
Compromised Password Detection
Passwords can just get “out there” somehow. Either because an app had bad security, or because there was an insider leak, or any number of reasons. Reused passwords, poorly thought out passwords, and compromised passwords are all highlighted in the Passwords settings now. More than just showing you the problem, though, Apple’s helping you to fix it.
Right from the Password Settings, you can go reset key credentials, or set it to disregard for individual sites. It can feel daunting to a user to know how exposed they are, but having helpful hints on how this moves you forward is great.
Passkeys
More than just MFA or a long password, using a phishing-resistant authentication method like a passkey is a great experience for the user, as well. We setup a passkey for their Google account, after a short explanation of how they’re different from passwords and MFA. Once they saw how it worked — and I love that Google offers you a quick way to see it in action — they were hooked and wanted to use this everywhere.
A Standalone App
With macOS 15 and iOS 18 now here, things are getting even better. With Passwords now in its own application for direct management, sharing, adjustment, and convenience, for a lot of people, 1Password or tools similar to it just won’t be as immediately necessary. Now, I’m not saying to dump 1Password — hardly! — I am saying that for most folks, Passwords will be enough.
Five years ago, we didn’t have this great wealth of new and better ways of handling Authentication securely. It felt like we were chugging along, trying to make a bunch of bad technologies fit our lives.
Now, it feels like things are a whole heckuva lot better, and I just wanted to stop to say exactly that: we’re in a way more secure moment than we were, and things are only going to get better from here.
Cannonball 