Keys are saved as part of iCloud backup #330
Comments
I'm in the same boat. I chose this app because I didn't want any kind of backup or syncing of my keys. The technical details are that Authenticator uses OneTimePassword. When using return [
kSecAttrGeneric as String: data as NSData,
kSecValueData as String: generator.secret as NSData,
kSecAttrService as String: kOTPService as NSString,
]The only thing I know of that tells these keychain items "sync" with iCloud is to use I'll see what I can do to reproduce this. I currently only have one iOS device. If I were to guess as to what's going on I would say an update to iOS has introduced additional backup features. |
|
The keychain API attribute usage in OneTimePassword was intended specifically to allow token secret keys to be backed up in an encrypted local backup, but not to be backed up in an (unencrypted) iCloud backup. At the time it was implemented, this was the default behavior for Keychain items saved without any special sync-related attributes. I heard a passing mention a while back that Apple was starting to include saved keychain items in iCloud backups, whereas previously all keychain items had been excluded from iCloud backups. I tested this behavior (both months ago and again recently), and an iCloud backup restore did not restore saved tokens – but I'm realizing now that the iCloud account I tested this on did not have iCloud Keychain turned on. Based on @4ad'a report, my hypothesis is that:
This is just a hypothesis at this point. I have a spare iOS device on hand and will try to test this, though due to other commitments the earliest I can carve out time for that testing may be next week. Thank you @4ad for the clear bug report, and thank you @beaucollins for following up with more info! |
|
Hi, I am using today Google Auhtenticator and my concern is that all service with 2FTA will not be accessible if I lost my phone :) because not backup is done. Thus I am searching a way to backup those keys somewhere (but in a controled place :)). But in iCloud ... this is not my favorite place :) |
|
After more read -> Backup if the backup is encrypted :) |
Did you ever get around to testing this? I only have one iOS device and would like to know if I have to manually do an encrypted backup to my computer or if I can rely on iOS keychain iCloud backups to backup all of my codes for me, also how do I see where they would be marked for sync so I know if they're getting backed up to the cloud? I would test to see but sadly I am limited to one iOS device! Thanks. |
|
@bluepaww I would recommend making a secure backup before trying anything. However, I have restored two different devices, mine and a family members, and both of them had their two-factor codes restored from iCloud. In both cases iCloud keychain was configured and active for the relevant iCloud accounts. |
|
I realise this is only a related question, but it does seem relevant to the issue described here and I can't find an answer anywhere else. With regard to the standard "migrating from old iPhone to new iPhone" procedure as per https://support.apple.com/en-gb/HT210216 -- is the expected behaviour that Authenticator secrets would be migrated successfully from the old to new device, or not? |
What did you do?
What did you expect to see?
What did you see instead?
System configuration
Default iOS configuration with iCloud backup and iCloud Keychain enabled.
Additional notes
I realize that the backups are encrypted, but this is certainly is not the behavior I expect. In fact, I chose this app precisely because I thought it didn't do this. I am not sure if the application state persists because of the iOS backup, or if it's saved by the iCloud Keychain.
Also something seems wrong here because in other issues people want some kind of sync/backup/restore functionality, but that functionality seems to be present already.
The text was updated successfully, but these errors were encountered: