I’ve been following the evolution of WebAuthn for quite some time now. However, it was only after Apple popularised it last year with the introduction of Passkeys that I started receiving questions about it.
My answer has always been: “I’m looking forward to supporting it in Secrets, and I hope Apple announces something related to Passkeys and third-party apps at WWDC.”
Today marks the second day of this year’s WWDC, and based on the documentation that’s already available, I can confirm that Apple did what I was hoping for:
The Credential Provider API for password managers has been expanded to support passkeys. Credential providers can save and offer passkeys for apps and websites across the system.
I filed Feedback with Apple at last year’s WWDC asking for precisely this. And this is probably more important than you might think, so read on.
What are Passkeys?
I’ll be brief. Passkeys are basically sets of key pairs (a public and a private key) that can replace password-based authentication with public-key authentication.
In practice, this means that when using passkeys, the server knows your public key, and your device can prove that you own the corresponding private key by answering cryptographic challenges.
This has many advantages:
• Every key is “strong.” Unlike passwords, there’s no such thing as a “weak passkey.”
• They’re unique. Each service should receive a different public key, and your device will store the matching private key.
• Your private key never leaves your device and is linked to the corresponding service. This prevents phishing attacks.
If you’re using a password manager like Secrets, these benefits should sound familiar. Secrets already generates strong and unique random passwords for you. It also warns you if you try to fill in a password on a website that’s not associated with a specific Login.
Passkeys simply ensure these properties by design.
So what’s the big deal?
Hopefully, more and more services will start to offer Passkeys as an authentication option. While Secrets could potentially generate and store Passkeys, they would be challenging to use in any app or browser without a Secrets extension installed.
Unlike password-based authentication, you can’t simply copy and paste a Passkey into an authentication form. And that’s precisely why this announcement is so important.
If the future is Passkeys, users must be incentivised to use them as their primary authentication method. Otherwise, the password will always be the weakest link. In that regard, Passkeys should work everywhere you’d expect, including all the apps on your device.
By allowing third-party password managers to store and use Passkeys in both apps and websites, Apple is taking another step in that direction. It also prevents locking you into the ecosystem.
And now you know one of the things I’ll be working on this summer 😉
As a quick reminder this version includes:
1. A completely new storage and sync system;
1. The ability to share items with other users via Shared Vaults;
1. A UI facelift as well as many other improvements!
Secrets 4 is a paid upgrade and a universal app. Your purchases are now shared between Mac and iOS. Not only that but all your purchases can also be shared with your family via Family Sharing!
Speaking of purchases, this version includes both one-time purchases and subscription options.
One-Time Purchases
Editing for 59.99 US$: Allows editing of items
Sharing for 39.99 US$: Allows sharing vaults
Editing + Sharing for 89.99 US$: Discounted pack of both the previous purchases
Subscriptions
Monthly all-inclusive for 2.99 US$
Yearly all-inclusive for 29.99 US$
To celebrate the launch, we have a a couple of promotions just for launch day. Every Secrets 3 user can upgrade to the Editing + Sharing purchase at 50% off1. Every new user will also be able to purchase the Editing purchase at 25% off!
Last but not least there’s a brand new, gorgeous site for Secrets: https://secrets.app! Go check it out, or go directly to the App Store if you can’t wait to try it 😉.
As always I’d love to hear from you! Join the discussion on Product Hunt or send me an e-mail.
After launch there will still be a 20% discount for existing users.
[return]
The next major version of Secrets, the biggest update yet, is coming soon. Read on to learn more and how you can get a preview on the new version.
New Engine, Familiar Experience
The entire storage layer of Secrets has been rewritten. This new version was designed to work better with iCloud and provide a more robust syncing experience. Secrets still uses the Sodium library for most of its cryptographic functions. Including for everything sent to iCloud.
No more passphrases… if you don’t want to. With almost all Apple devices being sold today including a Secure Enclave, Secrets 4 leverages its features to give you more flexible options on how you’d prefer to unlock your data. Want to use just Face ID? Sure. Want to use a passphrase or Touch ID? Yep. Want to use Face ID and a passphrase? You can do that too! You can even have different unlock methods on each device and have them all syncing with iCloud.
Make no mistakes, your data is still encrypted with a 256-bit key. This key is protected by the system’s Secure Enclave, cannot leave the device, and is gated by the unlocking mechanisms mentioned above (among others).
Trusted Devices
So far you’d always have to type in your passphrase to sync a new device. Your passphrase actually had to be the same on all devices for syncing to work. But if Secrets 4 can be used without a passphrase, how does that work?
New in Secrets 4 is the notion of a trusted device. The first device that sync with iCloud become the root trusted device. When you want to sync a new device, it will ask for authorization from an existing trusted device. This process is similar to the pairing mechanism in Remote Secret Requests.
Shared Vaults
The flagship feature of Secrets 4. One the main reasons behind our biggest refactor yet.
You can now create different vaults in Secrets:
Local:
With local vaults your data never leaves your device.
iCloud:
Data stored in these vaults is sync with all your trusted devices.
Shared:
Still stored on iCloud, but you can invite any other Secrets user to read and write items to these vaults
Note shared vaults are completely built on top of iCloud. We still don’t run any servers. There’s no account to setup when you use Secrets. You just open the app and start using it.
Paid Upgrade
Secrets was release in May 2016. If you bought the first version you had 7 years of free updates. It’s time for a paid upgrade.
Rest assured, Secrets 4 is not moving to a subscription. In fact, there will be a considerable discount on launch day for all existing Secrets 3 users. No matter if you bought Secrets Premium this year or 3 years ago. So make sure you are subscribed to our newsletter so you don’t miss it. After launch, you can still benefit from upgrade pricing at a smaller discount rate.
Prefer a subscription? There will be an option for you too.
Public Beta
Interested in helping test this new version? You can join the beta TestFlight group here! But please be aware this is a beta… crashes, bugs and general weirdness is to be expected. Backup your data, try it out and let me know you what you think.
It’s been a long time since the last update. That certainly wasn’t intended, but I didn’t expect a pandemic. Anyway, the wait is over and I believe it was worth it! Version 3.4.0 of Secrets for iOS is now available on the App Store, and with it a major new feature.
Remote Access
With this update you can now use Secrets on your iOS device as a remote keychain for filling Logins and Credit Cards on a browser running on another machine, such as on Windows or Linux.
Secrets is, and will continue to be for the foreseeable future, only available on Apple platforms. That’s where our expertise and our heart is. Having said that, we do have many requests for other platforms. While Secrets itself won’t run on Windows anytime soon, this feature is the next best thing.
How does it work?
With the updated browser extensions for Firefox and Chrome1 you can now pair one or more iOS devices to serve as a remote keychain. The pairing works by simply reading a QR Code from the extensions’s options page.
Then, when you get to a page with a login or payment form, you just click the Secrets toolbar icon on your browser and a request is sent to your paired devices via push notifications.
On your device, you tap the notification to open Secrets and select the login you want to use. That information is sent back to browser to and the form is automatically filled. And of course this is all end-to-end encrypted.
The 3 steps to auto fill your secrets on a remote machine
We think this will be huge for many of Secrets’s users. Many of them only use Apple devices personally but have a Windows machine at work.
The secrets command line tool
The browser extensions will suffice for many of our users but we didn’t stop there. We’re also releasing an open source command line tool so you can integrate Secrets in many of your workflows.
With this tool you can retrieve not just Logins, but any type of data that you have stored in Secrets. Including specifying which item properties you want. Here’s an example command:
Out at last, out at last, Secrets 3.2 is out last!
This release is a bit tardy but I believe the wait was worth it. This update focuses on iOS 13 and macOS Catalina specific features but also includes many other noteworthy features. So lets get to it!
Dark Mode iOS
Arguably the most anticipated feature of iOS 13. Since adding Dark Mode to Secrets for Mac last year, you have definitely made it clear you wanted the same on Secrets for iOS. We heard you… but we were also expecting Apple to add support for it this year with iOS 13 😉. And we were right!
So finally, Secrets for iOS joins its macOS counterpart with new, beautiful, dark themes!
The Light, Dark and Black themes on Secrets for iOS
Yes, themes… plural. We’ve added two new dark themes to suite everyone’s taste. The new Dark theme – my favorite – uses a few shades of gray with a just a hint of blue and is really easy on the eyes. The Black theme uses Apple’s palette for Dark Mode making Secrets fit right in with the rest of your apps.
And to celebrate all this darkness, we’ve also added a new dark version of the app icon just for fun 😊. But you’ll have to open the app’s Settings to check it out.
Unlock with an Watch macOS
Secrets for Mac could already be unlock with Touch ID on compatible Macs. With macOS Catalina, Apple has added the ability to use your Watch to authenticate yourself and Secrets takes full advantage of that!
Using the watch to unlock Secrets in macOS Catalina
Now, instead of typing in your long passphrase (you’re using a long passphrase, right?!), you can simply double-click your watch’s side button to unlock.
Siri Shortcuts iOS
We introduced Siri Shortcuts with Secrets 2.8 last year. This year, Apple made Shortcuts much more powerful with the ability to return results from custom actions.
This release adds a new Search Secrets action you can use as a step on your own shortcuts.
For example, one request that pops up now and again is the ability to auto-fill credit cards onto webpages. Unfortunately, iOS’s Password AutoFill feature only works on logins, so you still had to copy and paste your credit card details from Secrets. Fortunately, with with the new Search Secrets action we can do this ourselves with a simple shortcut!
Filling credit card information stored in Secrets using a custom shortcut
What you’re seeing in the video above is a shortcut that runs on Safari webpages, searches Secrets for credit cards items, asks you which of the cards you want to use and finally auto-fills the card details in Safari. Pretty neat! Here’s a link to the shortcut so you can try it out yourself.
As some of you may have noticed, you could already install Secrets’s extensions on them but they wouldn’t actually work… Secrets would still think it was talking to Chrome or Firefox. Well… no more!
Auto-filling now working with Brave Browser
Secrets will now understand that it’s in fact talking to these browsers and work as expected.
Accessibility improvements iOS
“Improvements” might be an understatement… We’ve added support for Dynamic Type, VoiceOver and Voice Control.
Dynamic Type: Secrets will now honor the text size preferences you set on the Settings.app. Including the larger accessibility sizes.
VoiceOver: We’ve reviewed all screens so that they’re friendly to VoiceOver users. Your device will now be able to read the Secrets user interface and perform all actions.
Voice Control: New in iOS 13 is the ability to control iOS with just your voice. This is an impressive feat by the accessibility team at Apple, and we’re proud to say can now also control Secrets with just your voice.
As always, we love to hear from you, so let us know what you think via e-mail or on Twitter.
