iCloud Keychain is end-to-end encrypted among all your devices and uses iCloud just for syncing your password and other shared keychain entries. As I’ve written previously in “Why iCloud Keychain may prompt you for a device password used with other Apple hardware you own,” Apple relies on device passcodes in a special way as you add additional devices to an iCloud Keychain set.
With your first device, you’re simply enabling syncing. Apple requires that you enter the password or passcode on that device to prime the pump. That encrypted password is used to wrap all your iCloud Keychain entries. The next device you add will prompt you to enter the passcode or password of the one you initiated iCloud Keychain with. Entering the secret unlocks the iCloud Keychain sync and adds your new device to the set of legitimate keychain sync partners. Because you’re entering the passcode or passphrase on a device under your control, it’s never leaving your hardware: Apple doesn’t learn it; it’s just a secret only you know to unlock the syncing operation.
One reader, however, was shocked when restoring an iPhone that they were prompted to enter the password of a computer they no longer owned—one they double-checked had been removed from their set of registered devices. Surely that was a security leak? They were concerned that whoever possessed their old computer might have access to their keychain secrets.
Fortunately, that’s not the case, though Apple surely should have a way to resolve this problem when devices are removed from iCloud—but possibly not with a restored backup. Only the encrypted passcode of that older device lingered, likely within the iPhone backup. When prompted to enter it, the reader was only unlocking their local keychain set.
While this request looked sketchy or problematic, it was poorly labeled rather than a security hole.
When the reader disabled iCloud Keychain on all their devices and re-enabled it, they weren’t prompted for the password on an old Mac again—or any passcode at all. The devices all retained enough mutual security elements associated with the iCloud identity that re-authentication wasn’t required.
This Mac 911 article is in response to a question submitted by Macworld reader Andrea.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com, including screen captures as appropriate and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.
Author: Glenn Fleishman, Senior Contributor
Glenn Fleishman’s most recent books include Take Control of iOS and iPadOS Privacy and Security, Take Control of Calendar and Reminders, and Take Control of Securing Your Mac. In his spare time, he writes about printing and type history. He’s a senior contributor to Macworld, where he writes Mac 911.