Micah Sargent (0:00)

Predator. Badlands now streaming on Hulu and Hulu on Disney. Here you're not the predator, you're the prey. Prey, prey, prey, prey. Critics are saying it's epic, stunning and breathtaking. Many have come here, none have survived. Badlands now streaming on Hulu and Hulu on Disney. Rated PG13. Refreshing wild cherry cola meets Smooth cream. The treat you deserve. Pepsi Wild Cherry and Cream Treat yourself

Ryan Reynolds (0:47)

Not sure how to tackle your taxes? Are you sweating the small print? You may be experiencing FOMO the fear of messing up the answer using TurboTax on Intuit credit Karma. They help you get your biggest refund and then we help you do more with it with a personalized plan designed to help you hit your money goals. It's time to take your taxes to the max. Start filing today in the Credit Karma app.

Micah Sargent (1:15)

Coming up on Hands on Apple we continue our look at the Passwords app and the suggestions I have for you therein. Stay tuned. This episode is brought to you by outSystems, a leading AI development platform for the enterprise. Organizations all over the world are creating custom apps and AI agents on the Outsystems platform and with good reason. Build, run and govern apps and agents on one unified platform. Innovate at the speed of AI without compromising quality or control is trusted by thousands of enterprises worldwide for mission critical apps. Teams of any size and technical depth can use Outsystems to build, deploy and manage AI apps and agents quickly and effectively without compromising reliability and security. Without systems, you can accelerate ideas from concept to completion. It's the leading AI development platform that is unified, agile and enterprise proven, allowing you to build your agentic future with AI solutions deeply integrated into your architecture. Outsystems build your agentic future. Learn more@outsystems.com TWiT that's outsystems.com TWiT podcasts you love from people you trust. This is Twit. Welcome back or welcome to Hands on Apple. If this is your first time, go back at least and watch the last episode of the show. That is the first of the Password Apps series that I'm currently doing. We are taking a look at Apple's built in Passwords app to help you understand how to use the Passwords app. What you need to know about it now if you were here last time, well we walked through the Passwords app, what it is, where it came from, how you handle the basics and if you did do your homework well, you already know that you've probably got a lot of passwords and in Fact, you may have gone through and gone as far as to remove some of the junk. So now that we've got it kind of, you understand it a little bit, you've cleared things out, it's time to dig in and take things a step further. So today we're going to be talking about two factor authentication, about passkey and even tackling the security alerts that Apple has within the passwords app. So let's dig in. First and foremost here we are on macOS and we are looking at verification codes first, otherwise known as totp, these time based one time passwords, many of you will know that as two FA or two factor authentication. But the actual thing of having a code that changes every 30 seconds, it's usually a 6, 6 digit code. It is itself called a TOTP, a time based one time password. The way that this works is there's some sort of QR code or code that you copy and paste and that will help the algorithm generate a six digit code that expires after a certain period of time, 30 seconds, you put that code in and the app knows that the app or the service knows that it's you. So when you are creating an account, this is the way to go about it. And there are a few ways to figure out how to get a QR code added. The cool thing is for the most part your passwords app is going to do a lot of the work for you. So on iOS it can automatically generate these codes. On macros it can also do that. Excuse me. And it can also auto fill them. So what does that look like? Well, so let's head to the passwords app and see what we have here. For example, we have an account Amazon. And right now, while it does have a password, it does not have a two factor authentication code. So what I have done is I've gone to the Amazon site, I've created an account and I want to add two factor authentication. This will work whatever site or service you're using, so long as the site or service has two factor authentication. So I'll head into the login and security section for Amazon and depending on the app you may be able to tap or click Set up code and have it provide this information for you and get you to the right place. So let's look at this page here we can see two step verification is an option. We're going to choose to turn that on and we can either use our mobile phone number, which is what we don't want to do, or use an authenticator app we want to do the Authenticator app now. Up pops a QR code. But here's the problem. We're on macOS. How do I get that QR code to work with my password app? Well, if you right click on the code, you should see an option that says set up verification code. Clicking on that then pops up the different options that we have here. We want to choose the Amazon option and choose add code. And then once that's done, you'll see that there's a code that appears. It is automatically using that barcode. And now I have a little prompt that says, do you want to enter the verification code? Once I've done that, then it goes through the process and properly displays the code for me. Now, depending on the site, you may have an attempt or a change to the way that the site is looking at your security. So for example, Amazon did send a code to my email to make sure that that was indeed me. That did properly allow me to set up two step verification. So that is now set up and if I were to log out, which I want to do of this account, we'll head back to macOS and I can see that I've got my Amazon account. All I have to do is put my finger on the touch ID to authentic. It automatically types in the username, it puts in the password, and now it asks for the otp. And now I have access to my Amazon account. So setting up two factor codes, very easy to do. It will automatically fill those for you after you're done. Now, something important to understand. If you are moving from another authenticator app to the passwords app, you may struggle with getting these two factor authentication codes set up. So my recommendation for you is as you are importing, kind of going step by step through the process of making sure that all of your two FA codes are properly scanned in, are properly added in so that you are able to use those. So just before deleting all of your codes from a previous app, don't do that, save them, get them typed in, make sure they're all there and then you can go forth. So that is two factor authentication. We've talked about two factor authentication for a long time. It gives you the ability to not only have a password, but if your password were to be guessed, if they don't have access to that special code that is created, then someone who's trying to access your account is still unable to do so. But there's actually a more secure method and those are passkeys. And yes, the passwords app does support passkeys. So let's take a look at how that works. First and foremost, it's important to understand that a passkey can replace your password entirely. You don't have to remember a string of characters, there's nothing to autofill. And instead your device and the website's server create what is called a key pair. And the server and your device work together to verify one another and make sure that it is indeed you who's accessing the account. You do have to have authentication through face ID or touch ID or a passcode, but outside of that there's no verification requirement and people can't steal these pass keys. Unlike a password, which can be stolen. Unlike a six digit code sent to a phone number which could be stolen by by copying the SIM and being able to access some sort of SIM jacking attempt. So how do we create a passkey? Well, let's head over to macOS again. Luckily Amazon has passkey support, so we'll go up to our account and we will head back into login and security. And there's another option here, it says passkey, we choose setup and we click set up one more time. This will automatically have the system be notified, letting it know that I'm trying to create a password. If I tap to authenticate with my finger, it saves that passkey to the passwords app. And now if I open the passwords app and I look at Amazon, I can see that not only is the QR code or the two factor code here, but I also have a passkey that was created here. You can see a passkey is here and it gives a little bit more information about it. Now if I go up to my account and I sign out, I can then go back to Amazon, whoops. And I can sign in, I'll put in my username, hit continue. And now it asks, do you just want to sign in with your passkey? I do. So authenticate with my finger and I get to skip the password. I'm back in. No problem. Now, depending on the site or service, passkeys may look different. In some places they work as a second factor of authentication, but many of them are trying to be simply just the way that you log in. So if you are trying to access this device then, or your accounts, make sure you know whether you're going to be needing to use a password or a passkey. And if passwords can be disabled in place of passkeys, there's a lot to consider when it comes to using passkeys as a Replacement for passwords. You want to make sure you have icloud keychain turned on across devices because those passwords will sync across devices, which means that when you try to log in on your phone or your iPad, it's also going to work there as well. So that's a look at the passkeys and two factor authentication codes or TOTP codes. There's one last thing that I want to talk about, and that is security recommendations. So Apple has some different security recommendations that it will give you based on what is going on with your passwords. So what happens? Well, the app is going to look at your passwords and it's going to mark them in some different ways. It may mark them as reused, it may mark them as weak, it may mark them as leaked. If it marks them as reused, you can guess what that means. It means that it's shaming you for using the same password on different sites. So if you use the same password for more than one service, you are making yourself vulnerable because the weakest of those services, security wise, is the one that will be responsible for you having that password that you've then used on more sites leaked and available for people to take and make use of. Passwords marked as weak are passwords that can be guessed by an attacker, either they themselves or through the use of a computer program which can crack passwords. And then passwords marked as leaked are only there if you turn on the password monitoring feature. And what happens is the system will listen for services that provide data on whether your passwords and your information have been leaked to the web somehow and then let you know that that's the case. Now, because this account doesn't have many passwords in it, I currently don't have any security recommendations. It is likely that you will have at least one follow through that process to understand what you need to do when it comes to fixing these passwords. So if you have a compromised password, then those have appeared in known data breaches. It doesn't necessarily mean that your account itself was breached, but the password you're using has shown up and that therefore it's vulnerable. Reused passwords, obviously one's breached, they're all breached. And then weak passwords just way too easy to guess. Now, I recommend not trying to fix everything in one sitting. It is. It takes a long time. You might get burned out. So prioritize. Compromised passwords are incredibly important, particularly if they have anything to do with financial information. So check throughout the whole thing, your security recommendations for any banking, credit cards, investment, Accounts and email, because that is one of the way that people can get your password or access to your other accounts. They get your email account username and password. They're in for the I forgot my password option across sites after that. Then go with the reused passwords that are on important accounts and then those weak passwords that are on low stakes accounts. So you know, you one time signed into a site needed to create an account. They can wait, but then, you know, clean them up over time. What's great is that the passwords app does help you. You can tap on a flagged entry which will give you a change password button that takes you directly to the site. You log in, you navigate to the password change screen. Then the passwords app is going to a new strong password, you'll save it, and then it's going to be updated in the passwords app automatically. So if you are struggling, this will help you get to where you need to get. And I think it's more of kind of a checklist feature, right? So here's my recommendation for you. Check this security category, say once a month. Set yourself a reminder. Or perhaps it's every time you open this app. Think of it like checking your credit score. It's a quick glance to see if anything new has popped up. You don't have to regularly. You don't have to check it every single day, but regularly checking in is just a healthy habit. And then it's important to note that the app does proactively notify you if a saved password shows up in a new breach. So in that case, you don't have to be checking it to know that that's going on. So we've taken a look at all of the sort of additional security that you can do for your passwords. Here is your homework. Try to set up, if you have not yet done so, at least one verification code. In the passwords app. You can pick an account you log into often so that you know you'll actually experience this autofill workflow. You'll regularly use it. It'll also give you that warm fuzzy feeling of knowing that you're protecting your account. Go ahead and create a passkey on a site that supports it. If you have a Google account, that's a great place to start. It's very easy to do. And Google makes passkeys truly part of the login experience. And then this is the big one. Please open that security category, fix two to three flagged passwords, and of course start with those most important accounts. So now if you've done these things, you have verification codes that are living right alongside your passwords. With autofill handling the heavy lifting, you've seen how passkeys work. They are being touted as the future of logging in. We'll see if that continues to be the case and you've started chipping away at those lists, at that list of security alerts. Next episode, we're covering some of the more advanced features within the passwords app, including shared password groups. The limitations you should know about and the big question, which is, is that password app enough or do you still need a third party password manager? We'll check in on that next time on Hands on Apple. But until then, I've been Micah Sargent and I thank you so much for tuning in. Bye bye. If you enjoyed this, well, there's something else you might like. If you want the big picture on what's happening in tech, subscribe to this Week in Tech. Leo Laporte and the panel bring you the story shaping the industry every Sunday.