What about Passkeys?

Posted by Paulo on June 6, 2023

I’ve been following the evolution of WebAuthn for quite some time now. However, it was only after Apple popularised it last year with the introduction of Passkeys that I started receiving questions about it.

My answer has always been: “I’m looking forward to supporting it in Secrets, and I hope Apple announces something related to Passkeys and third-party apps at WWDC.”

Today marks the second day of this year’s WWDC, and based on the documentation that’s already available, I can confirm that Apple did what I was hoping for:

The Credential Provider API for password managers has been expanded to support passkeys. Credential providers can save and offer passkeys for apps and websites across the system.

I filed Feedback with Apple at last year’s WWDC asking for precisely this. And this is probably more important than you might think, so read on.

What are Passkeys?

I’ll be brief. Passkeys are basically sets of key pairs (a public and a private key) that can replace password-based authentication with public-key authentication.

In practice, this means that when using passkeys, the server knows your public key, and your device can prove that you own the corresponding private key by answering cryptographic challenges.

This has many advantages: • Every key is “strong.” Unlike passwords, there’s no such thing as a “weak passkey.” • They’re unique. Each service should receive a different public key, and your device will store the matching private key. • Your private key never leaves your device and is linked to the corresponding service. This prevents phishing attacks.

If you’re using a password manager like Secrets, these benefits should sound familiar. Secrets already generates strong and unique random passwords for you. It also warns you if you try to fill in a password on a website that’s not associated with a specific Login.

Passkeys simply ensure these properties by design.

So what’s the big deal?

Hopefully, more and more services will start to offer Passkeys as an authentication option. While Secrets could potentially generate and store Passkeys, they would be challenging to use in any app or browser without a Secrets extension installed.

Unlike password-based authentication, you can’t simply copy and paste a Passkey into an authentication form. And that’s precisely why this announcement is so important.

If the future is Passkeys, users must be incentivised to use them as their primary authentication method. Otherwise, the password will always be the weakest link. In that regard, Passkeys should work everywhere you’d expect, including all the apps on your device.

By allowing third-party password managers to store and use Passkeys in both apps and websites, Apple is taking another step in that direction. It also prevents locking you into the ecosystem.

And now you know one of the things I’ll be working on this summer 😉

Secrets 4 has Shipped!

Posted by Paulo on May 31, 2023

Secrets 4 has just been released! 🎉

As a quick reminder this version includes: 1. A completely new storage and sync system; 1. The ability to share items with other users via Shared Vaults; 1. A UI facelift as well as many other improvements!

If you want to know about about these changes check out our announcement blog post.

Secrets 4 is a paid upgrade and a universal app. Your purchases are now shared between Mac and iOS. Not only that but all your purchases can also be shared with your family via Family Sharing!

Speaking of purchases, this version includes both one-time purchases and subscription options.

One-Time Purchases

  • Editing for 59.99 US$: Allows editing of items
  • Sharing for 39.99 US$: Allows sharing vaults
  • Editing + Sharing for 89.99 US$: Discounted pack of both the previous purchases

Subscriptions

  • Monthly all-inclusive for 2.99 US$
  • Yearly all-inclusive for 29.99 US$

To celebrate the launch, we have a a couple of promotions just for launch day. Every Secrets 3 user can upgrade to the Editing + Sharing purchase at 50% off1. Every new user will also be able to purchase the Editing purchase at 25% off!

Last but not least there’s a brand new, gorgeous site for Secrets: https://secrets.app! Go check it out, or go directly to the App Store if you can’t wait to try it 😉.

As always I’d love to hear from you! Join the discussion on Product Hunt or send me an e-mail.

Secrets 4 - Tasteful password manager for Mac and iOS | Product Hunt


  1. After launch there will still be a 20% discount for existing users. [return]

Announcing Secrets 4!

Posted by Paulo on May 18, 2023

The next major version of Secrets, the biggest update yet, is coming soon. Read on to learn more and how you can get a preview on the new version.

New Engine, Familiar Experience

The entire storage layer of Secrets has been rewritten. This new version was designed to work better with iCloud and provide a more robust syncing experience. Secrets still uses the Sodium library for most of its cryptographic functions. Including for everything sent to iCloud.

No more passphrases… if you don’t want to. With almost all Apple devices being sold today including a Secure Enclave, Secrets 4 leverages its features to give you more flexible options on how you’d prefer to unlock your data. Want to use just Face ID? Sure. Want to use a passphrase or Touch ID? Yep. Want to use Face ID and a passphrase? You can do that too! You can even have different unlock methods on each device and have them all syncing with iCloud.

Make no mistakes, your data is still encrypted with a 256-bit key. This key is protected by the system’s Secure Enclave, cannot leave the device, and is gated by the unlocking mechanisms mentioned above (among others).

Trusted Devices

So far you’d always have to type in your passphrase to sync a new device. Your passphrase actually had to be the same on all devices for syncing to work. But if Secrets 4 can be used without a passphrase, how does that work?

New in Secrets 4 is the notion of a trusted device. The first device that sync with iCloud become the root trusted device. When you want to sync a new device, it will ask for authorization from an existing trusted device. This process is similar to the pairing mechanism in Remote Secret Requests.

Shared Vaults

The flagship feature of Secrets 4. One the main reasons behind our biggest refactor yet.

You can now create different vaults in Secrets:

  • Local: With local vaults your data never leaves your device.
  • iCloud: Data stored in these vaults is sync with all your trusted devices.
  • Shared: Still stored on iCloud, but you can invite any other Secrets user to read and write items to these vaults

Note shared vaults are completely built on top of iCloud. We still don’t run any servers. There’s no account to setup when you use Secrets. You just open the app and start using it.

Secrets was release in May 2016. If you bought the first version you had 7 years of free updates. It’s time for a paid upgrade.

Rest assured, Secrets 4 is not moving to a subscription. In fact, there will be a considerable discount on launch day for all existing Secrets 3 users. No matter if you bought Secrets Premium this year or 3 years ago. So make sure you are subscribed to our newsletter so you don’t miss it. After launch, you can still benefit from upgrade pricing at a smaller discount rate.

Prefer a subscription? There will be an option for you too.

Public Beta

Interested in helping test this new version? You can join the beta TestFlight group here! But please be aware this is a beta… crashes, bugs and general weirdness is to be expected. Backup your data, try it out and let me know you what you think.

Secrets 3.6 - Tying Up Loose Ends

Posted by Paulo on March 16, 2021

Version 3.6 of both Secrets for Mac and iOS is out now. While there are not groundbreaking features this release includes some other minor features that had been skipped in the past. Lets go over them now!

Automatic Icon Suggestions

While you could already set custom icons for your items, Secrets 3.6 now makes that a bit easier by automatically suggesting icons based on the Services you have associated with a Login item.

The way this works is that Secrets will connect to all associated websites and try to find a suitable images from each page’s metadata. Nothing goes through our servers so your privacy is preserved.

Icon suggestions for a Login for apple.com and icloud.com

Icon suggestions for a Login for apple.com and icloud.com

Not only that but it also includes a list of symbols you can use instead of an image. This is perfect for Login items for databases, servers, or other protocols where Secrets can’t suggest an icon. For example, if you have a Login for an SSH shell on a remote server, you could create an icon like this:

Using a symbol and a background color to create custom icons

Using a symbol and a background color to create custom icons

Finally on the Mac side, if you’re choosing an icon for a Software License, Secrets will also suggest icons from the apps you have installed on your machine. Pretty handy 😉.

Ad Hoc Remote Secret Requests

In version 3.4 Secrets introduced the ability to fill Logins on browsers running on Windows or Linux from Secrets running on iOS, such as on your iPhone. This feature required you to pair your iPhone with the browser first. We got some feedback from various students around the world that they are using this feature on shared computers and would love not to have to pair first.

Well… it’s here! Simply right click on the page and inside the Secrets menu you’ll find a new “Ad Hoc Request” option1. Now you can spend more time studying and less time pairing 😘.

Location of the new Ad Hoc Request menu item

Location of the new Ad Hoc Request menu item

Rest assured everything is still end-to-end encrypted. The difference is that, for Ad Hoc requests, you’ll need to scan a QR Code every time you make a request. Whereas if you pair your device you only need to scan it once.

Adding Missing Features on iOS

Secrets for Mac has always had some features not present on iOS. Well, the gap tightens with Secrets 3.6 for iOS.

You can finally import and export your data on directly on your iPhone. The number of users that we have using just the iOS version of Secrets seems to keep growing and while they needed Secrets for Mac to import their data before… not anymore!

Also, renaming and deleting tags is finally possible on iOS. You always could add new tags, but if you made a mistake there was no option to delete or rename it. That’s now fixed.

Bug Fixing

Last but not least, we have the usual “bug fixes and improvements”:

  • Fixed issue related to syncing a large number of attachments;
  • Improved fullscreen experience;
  • Improved LastPass importer;
  • and many more.

As always, we love to hear from you, so if you have any feedback on these extensions you can reach us via e-mail or on Twitter.


  1. You’ll need to update your browser extension to version 1.0 first! [return]

Password AutoFill now on macOS Big Sur

Posted by Paulo on November 20, 2020

At last… after some issues with Apple’s submission process Secrets 3.4.0 has been released! Apologies for the delay but the issue was not our side. But enough chit chat, let’s get into it…

Password AutoFill

This feature was only mentioned in passing during Apple’s WWDC and I have yet to find a reference to it on Apple’s marketing pages. But it’s 😘. Perhaps the most underrated feature on macOS Big Sur?

Whereas on iOS you could already use third party Password Managers to fill passwords on every app, Big Sur finally brings that feature to iOS’s older brother. Meaning you can use Secrets to quickly fill usernames and passwords on just about any app.

Using Password AutoFill on macOS Big Sur with Secrets

Keeping with the same design and security principles that we’ve set since the very beginning, the new Password AutoFill extension delegates passphrase handling, decryption and item selection to the main app. The flow should be very familiar to any existing Secrets user since it’s practically the same as when filling in a web browser.

Improvements

Accessibility support

We’ve added accessibility support to Secrets for iOS back in version 3.2 and you’ve definitely made us know that we were still missing it on our macOS counterpart. Not any more!

You can finally use VoiceOver to navigate Secrets on macOS. Our apologies for taking so long… If you’re using this we’d love to hear your comments!

Auto fill credit cards

You can now also fill Credit Cards stored in Secrets on your favorite web browser. Just in time for all your Christmas shopping! 😉

The process is exactly the same as filling a Login. If Secrets detects a payment form on that web page, it will show the “Fill” button on your Credit Card entries.

Other

We’ve also made many improvements throughout the app, including: * refined interactions when using multiple spaces and fullscreen apps; * automatically closing Secrets window after a fill; * and of course this update runs natively on the new Apple M1 chip ❤️.

Subscribe for updates on Secrets and other news from Outer Corner.