{"id":33477,"date":"2021-08-26T16:55:13","date_gmt":"2021-08-26T20:55:13","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=33477"},"modified":"2021-09-08T11:26:50","modified_gmt":"2021-09-08T15:26:50","slug":"why-apple-asks-for-your-other-devices-password","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2021\/08\/26\/why-apple-asks-for-your-other-devices-password\/","title":{"rendered":"Why Apple Asks for Your Other Device&rsquo;s Password"},"content":{"rendered":"<p><a href=\"https:\/\/tidbits.com\/2019\/09\/26\/why-apple-asks-for-your-passcode-or-password-with-a-new-login-and-why-its-safe\/\">Glenn Fleishman<\/a> (<a href=\"https:\/\/twitter.com\/GlennF\/status\/1177261882974978048\">tweet<\/a>):<\/p>\n<blockquote cite=\"https:\/\/tidbits.com\/2019\/09\/26\/why-apple-asks-for-your-passcode-or-password-with-a-new-login-and-why-its-safe\/\">\n<p>Why would Apple ask for the password or passcode for one of your other devices? Could it be some sort of scam? What exactly is going on here?<\/p>\n<p>[&#8230;]<\/p>\n<p>Apple has chosen to protect some data that it views as highly secure or very private with end-to-end encryption that prevents Apple from knowing anything about the contents of the synced data. Apple doesn&rsquo;t possess any of the keys required to decrypt this data passing through its servers. Instead, those keys reside only on individual iPhones, iPads, and Macs.<\/p>\n<p>[&#8230;]<\/p>\n<p>For iCloud Keychain and similar sensitive data, Apple has your devices generate and maintain a set of public and private keys that enable interaction with the information synced across iCloud. The devices never reveal their private keys and have the public keys of all the other devices connected to an iCloud account.<\/p>\n<p>[&#8230;]<\/p>\n<p>The hard part isn&rsquo;t syncing data privately. Rather, it comes when you want to add a new device to this set.<\/p>\n<p>[&#8230;]<\/p>\n<p>On at least one of the devices in the iCloud sync set, Apple adds an encrypted version of that device&rsquo;s passcode or password to the set of shared information.<\/p>\n<p>[&#8230;]<\/p>\n<p>Apple syncs this information to iCloud, and the setup process on the new device then pulls it down, prompting you to enter the passcode or password.<\/p>\n<\/blockquote>\n\n<p>This seems reasonable, although I guess it creates a slight risk in that now your device&rsquo;s password has been stored in the cloud. It&rsquo;s encrypted, but someone with access to the cloud could apply a lot of computing power over a long period of time in order to brute-force it. This would make it possible to break into your device during only a brief window of physical access.<\/p>\n\n<p><a href=\"https:\/\/twitter.com\/GlennF\/status\/1177262897480654848\">Glenn Fleishman<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/GlennF\/status\/1177262897480654848\">\n<p>Apple made it more confusing by not documenting the procedure anywhere on its site. So if you Google or search to make sure it&rsquo;s safe and not phishing, you cannot find any additional information about it!<\/p>\n<\/blockquote>\n\n<p>He wrote that in 2019. I was not able to find this described in the <a href=\"https:\/\/manuals.info.apple.com\/MANUALS\/1000\/MA1902\/en_US\/apple-platform-security-guide.pdf\">2021 Apple Platform Security<\/a> document, though it&rsquo;s possible I just didn&rsquo;t know where to look. I also don&rsquo;t know if it has a name. Apple does describe a similar &ldquo;syncing circle&rdquo; system for iCloud Keychain, but that seems to be different. (And the system Fleishman describes works even if you are not using iCloud Keychain.)<\/p>\n\n<p id=\"why-apple-asks-for-your-other-devices-password-update-2021-09-08\">Update (2021-09-08): <a href=\"https:\/\/twitter.com\/alanzeino\/status\/1431003538751070209\">alanzeino<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/alanzeino\/status\/1431003538751070209\"><p>I&rsquo;ve always wondered why this works like this, especially since it randomly sometimes requires every device to re-login and the <em>last<\/em> device that logs in is the password used to encrypt<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/mxswd\/status\/1431093503451222019\">Maxwell Swadling<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/mxswd\/status\/1431093503451222019\"><p>It does this because dropped an old device from your circle and needs to generate a new key that old device doesn&rsquo;t know.<\/p><\/blockquote>\n\n<p>He thinks that what Fleishman describes <em>is<\/em> the &ldquo;syncing circle&rdquo; mentioned in the Apple document. In other words, iCloud Keychain is running at some level even if you haven&rsquo;t chosen to store your own passwords in it.<\/p>","protected":false},"excerpt":{"rendered":"<p>Glenn Fleishman (tweet): Why would Apple ask for the password or passcode for one of your other devices? Could it be some sort of scam? What exactly is going on here? [&#8230;] Apple has chosen to protect some data that it views as highly secure or very private with end-to-end encryption that prevents Apple from [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2021-08-26T20:55:17Z","apple_news_api_id":"34cbf155-7eee-495f-a42b-38cc816bb02d","apple_news_api_modified_at":"2021-09-08T15:26:54Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAw==","apple_news_api_share_url":"https:\/\/apple.news\/ANMvxVX7uSV-kKzjMgWuwLQ","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[164,16,1417,31,1837,30,1891,981,48,2090],"class_list":["post-33477","post","type-post","status-publish","format-standard","hentry","category-technology","tag-documentation","tag-icloud","tag-icloud-keychain","tag-ios","tag-ios-14","tag-mac","tag-macos-11-0","tag-passwords","tag-security","tag-two-factor-authentication-2fa"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/33477","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=33477"}],"version-history":[{"count":4,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/33477\/revisions"}],"predecessor-version":[{"id":33556,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/33477\/revisions\/33556"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=33477"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=33477"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=33477"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}