Create Strong Passwords in iOS 12
Security is a hot topic these days, especially after many of the high profile hacks that have occurred over the past couple of years. Passwords, in particular, are coming under scrutiny as insecure, as folks reuse passwords between websites or use weak/insecure passwords like ‘password123’ or ‘letmein’. It’s reaching a point where some companies, like Microsoft, are talking about doing away with passwords altogether.
Apple is no slouch in this area, having introduced groundbreaking biometrics into their phones and computers, first with Touch ID, and then with Face ID on the iPhone X.
We may be moving away from the password, but it’s not dead yet, and Apple is introducing new technology in iOS 12 that will make it easier for your users to create and use secure passwords in your apps.
This technology is called Password AutoFill. If you implement it in your apps, you can specify rules used to generate a secure, random passwords which will then be saved securely into your user’s keychain so that they can use it, not only in your iOS app, but also in your web app in Safari and on macOS.
Setting up the text field in code
Setting up a text field to work with a secure password is fairly straightforward.
The first thing you have to do is mark the text field’s content type as newPassword, and secureEntry:
Once the TextField is configured to generate new passwords, you have to pass in the rules that the system will use to generate the password, as below:
The rules are passed in with a descriptor, which describes what parameters the password must match. In this case, our password must meet the following guidelines:
- Be at least 8 characters long
- No character should repeat more than twice in a row
- Include at least one uppercase character
For the full reference on how to format this string, you can read the documentation on Apple’s site.
Setting up the text field in Interface Builder
You can set all of the above directly in Interface Builder by setting the Text Input Traits (in the Attributes Inspector).
You will still have to pass in the descriptor using the format described above.
Note: If you have UI that reflects the validation state of a password, Password AutoFill will not solve this problem for you. Password rules are only used with the AutoFill feature. There is no delegate or property that tells you whether or not a textfield FAILS those tests.
Saving the password to the keychain
In order to save the password to the keychain so the user can retrieve it (and access it on Mac/in Safari), your app must have an associated domain. If your app already supports universal links, you may already have this set up.
If not, you will need to generate an apple-app-site-association file to put on your website, and add the Associated Domain entitlement to your app as described here.
Once you have set this up, the application will download the apple-app-site-association from your file to lock in the association when it is installed. If you are testing this for the first time from code, and it doesn’t work, try deleting and re-installing the app to force the app to download the file.
When we first attempted to use Automatic Strong Passwords during early betas of iOS 12, we were unable to get the entire process to work, where passwords were saved to iCloud Keychain. With the public release of iOS 12.0 we can, though!
If you don’t see the Automatic Strong Passwords keyboard appear, check the console in Xcode for a message like this:
[AutoFill] Cannot show Automatic Strong Passwords for app bundleID: your.bundle.id due to error: Cannot save passwords for this app. Make sure you have set up Associated Domains for your app and AutoFill Passwords is enabled in Settings
Just like it says, there’s two things to check on the device:
- iCloud Keychain sharing must be turned on
- AutoFill must be turned on
It took a few tries to verify that everything was working after creating an appropriate apple-app-site-association file, including deleting and reinstalling the app and running the app without a debugger attached.
Conclusion
Despite a few bugs in early iOS 12 betas, we are excited to be able to provide automatic strong passwords for our users.
