Automatic Strong Passwords and Security Code AutoFill

Session 204 WWDC 2018

Passwords and security codes are a modern necessity required for security and privacy. iOS 12 eases the tedious aspects of account setup and sign-in by automatically suggesting and using strong, unique passwords — even from within apps — and by bringing one-time codes to the QuickType bar so users can fill them with one tap. Learn how to optimize your app to ensure that password, security code, and other AutoFill features provide a seamless way for your users to be more secure.

[ Music ]

[ Applause ]

Good morning.

Welcome to Session 204, Automatic Strong Passwords and Security Code Autofill.

My name is Chelsea.

You may have seen Automatic Strong Passwords and Security Code Autofill in the State of the Union, yesterday.

I'm really excited to tell you more about these features, today.

These new features and other features in iOS 12 will help users log into and create accounts with ease in your app.

If you have a login screen or an account creation screen in your app, this session is for you.

app, this session is for you.

A major pain point for users is dealing with passwords.

They can be a pain point, even for people that use the best practice, which is to use a password manager to create and fill passwords for them.

For everyone else it can be tempting to do something easy but insecure, like reuse a password they're already using on another service or use an easy to guess password that they can memorize.

We know that the most private secure thing for your users is to use strong unique passwords for each service that they use.

We've all heard of breaches in services that result in users' passwords being exposed.

Users then need to go and change their password on every service where they were using it.

The features that we'll discuss today will help users choose strong unique passwords for your apps.

This way, you both help users that are trying to consciously that are trying to consciously use best password practices, as well as your users that would rather not think about passwords.

Many of your users use the iCloud Keychain.

The features that we're going to talk about today are built on top of the Keychain.

It has best in class security and it protects users' passwords behind biometric authentication.

Apple does not have access to the credentials stored in Keychain, so users' privacy is preserved, as well.

The iCloud Password Keychain Manager can help users log into and create accounts in your app.

We've added some new features on iOS 12 to help make account creation and login even easier.

I'm really excited to show you these features with a demo.

So, I'm going to go to the Shiny app.

This is my favorite demo app for creating an account and logging back into it.

So, I'm going to go ahead and create and tap create account.

I'll focus the email field and you'll see that I've been given a suggested username.

This is a new feature on iOS 12.

These suggested usernames are based on credentials that the user already has stored in the Keychain.

Since I always use Chelsea@example.com, I'm going to select that as my username.

Without another tap, the password field is focused for me and a strong unique password has been provided.

I'm also told that I can go and look up this password in Settings at any time.

So, if I need to go and type it onto another device where iCloud Keychain is available, it's available to me.

So, I'm going to go ahead and use this strong password and sign up.

So, with just a couple of taps I'm logged back into the Shiny, or I'm signed up for the Shine app.

Now, let's fast forward through all of the other account setup.

I've turned on second factor authentication.

And let's look at what logging back into Shiny looks like.

So, I'm going to go ahead and tap the email field.

As you can see, the credential I just created is suggested right on the QuickType bar.

on the QuickType bar.

Going to select that.

And then, after Face ID, my password and username are filled and I can log in.

Now, I've set up second factor authentication.

Normally, I'd need to try to memorize this code or go back to Messages.

But as you can see, the code that I just received for second factor authentication is right on the QuickType bar.

So, with one tap I can fill the code.

Yeah. It's really awesome.

[ Applause ]

So, I can fill that code, submit, and again, with a minimal number of taps I'm logged back into Shiny.

Back to the slides.

So, as you saw, creating an account with Automatic Strong Passwords is quick and easy.

I didn't think about the password, since one was provided for me and inserted into the password field.

I also didn't think about the password when logging back into Shiny.

Passwords have truly become an implementation detail to logging into my app with Automatic into my app with Automatic Strong Passwords and Password Autofill.

Here's today's agenda.

First, we're going to do a quick recap of Password Autofill, since many of the features that we'll talk about today are built upon that feature.

Next, we'll talk about how to ensure that Automatic Strong Passwords works in your app.

Then, we'll talk about Security Code Autofill.

Next, we'll talk about federated authentication with a third-party service.

And finally, we'll discuss some new password management features that the iCloud Password Keychain Manager provides.

In iOS 11, we introduced Password Autofill for apps.

Some of the new features that we're going to discuss today are built upon the same adoption you may have done for that feature.

Password Autofill helps users log into your app by surfacing credentials right on the QuickType bar.

Here's a quick recap of how to ensure that it works in your app.

Passwords in the iCloud Keychain Passwords in the iCloud Keychain Password Manager are stored based on domains on the Web.

Like Apple.com.

Thus, it's important to have an association between your app and the domain on the Web.

This way, we're able to confidently surface credentials on the QuickType bar.

You already have this association if you've adopted Universal Links or Handoff.

The process of adding this association is pretty simple.

You'll have a small change to your apps Entitlements file and you'll serve a file from your domain on the Web.

If you'd like to see an in-depth look at how to set this up, see Introducing Password Autofill for Apps from WWDC 2017.

It's important to always tag your fields with text content type, so that Autofill can be offered at the right place.

Tag your username fields with the username content type.

Tag fields where users are going to be filling, or passwords for existing accounts with a password content type.

password content type.

If you've chosen not to use Secure Text Entry for your password fields, it's particularly important that you tag your fields with the password content type.

This way, we know we're in a password context.

Now, that we've discussed how to get Password Autofill working in your app, let's talk about some improvements that it has.

Since, iOS 11.3, WKWebView supports Password Autofill.

This helps your users if your login screen is implemented using Web technologies.

New to iOS 12, password managers from the app store can provide information to Autofill.

This means that any work you do to support the iCloud Keychain Password Manager filling credentials in your app, also, helps users of these other password managers, as well.

If you're a developer of a password manager, see Implementing Autofill Credential Provider Extensions.

On iOS 12, we now offer to save credentials when a user logs credentials when a user logs into your app with a new account.

This way, users can then use these credentials in your app and website on all of their devices.

Let's talk about how to ensure users are prompted to save and update passwords in your app.

Here's how saving works.

First, Autofill infers that we're in a login scenario.

Then, Autofill checks the eligibility of your app based on if there's an association between your app and the domain on the Web.

Without this association saving passwords will not be offered.

Next, it finds the username and password fields so that it knows which data to save in the new credential.

Then, it detects that a sign in action has occurred.

And finally, Autofill decided whether to prompt to save or update the password based on if this is as brand new credential that's not yet in the Keychain.

Or if the user is updating an existing credential.

Now, this may work with no Now, this may work with no changes to your app on iOS12.

But let's talk about some steps you can take to ensure that it works.

First, make sure to tag your fields with the username and password content types, like, with filling passwords.

Make sure to remove your username and password fields from the view hierarchy when a sign in occurs.

This way, Autofill can detect that a sign in is occurring.

You could do this by dismissing the view controller that your sign in fields are in.

Make sure to only clear the username and password fields after they've been removed from the view hierarchy.

This way, we can read out the data and save it into credential.

Make sure the Autofill saves the credential to the correct domain.

You can do this by saving a password in your app, and then going to Settings to check where the credential is saved.

If you notice that Autofill is not saving to the correct domain, you can override where it's saving using the Web credentials associated domain service.

Finally, you may have previously Finally, you may have previously been using SecAddSharedWebCredential to manually save credentials when a user logs into your app.

However, now that Autofill automatically prompts users to save passwords you may no longer need this.

You will still want to use this if your app has a web view for its login screen because saving is not supported there.

So, here are some of the key steps that we've discussed so far to make sure that filling and saving passwords in your app works.

Make sure to associate your app with the domain on the Web.

Tag your fields with the username and password content type.

And for saving passwords, ensure that login is detected by making sure that the saving prompt appears when you sign into your app.

By ensuring that Password Autofill works in your app, you help your users log in with ease.

For new users, one of the first encounters they'll have with your app is creating an account.

In my demo you saw how Automatic In my demo you saw how Automatic Strong Passwords made this process super easy.

I'd like to invite Reza to the stage to discuss how to ensure Automatic Strong Passwords works in your app.

Thank you.

[ Applause ]

Thank you, Chelsea.

Hi, everyone.

This is Reza and I'm really excited to tell you all about Automatic Strong Passwords.

Account creation is a point of frustration for many users.

They might even leave your app and never come back, or as many of them do, decide to use a weak password or keep reusing the same one.

This significantly reduces their security.

Although, it might be an alternative to account creation, some of you might have concerns about allowing social media to be used to sign into your apps.

Automatic Strong Passwords makes account creation just as easy.

It brings convenience and It brings convenience and security to the signup process.

Users no longer need to think about or worry about passwords.

Autofill even suggests usernames to ease the signup process.

With Automatic Strong Passwords, account creation is only a few taps away.

So, users are more likely to sign up and user your services.

Now, I'd like to talk about how Automatic Strong Passwords works.

Similar to what Chelsea explained in a login scenario, when your app presents a view controller Autofill infers its type.

In this case, it's a signup view controller.

It will then check the eligibility of your it will then check the eligibility of your app based on the associated domains to figure out if it can save passwords.

If that's the case, Autofill will then detect relevant signup form elements; the username and the password.

Once the username field become Once the username field become first responder Autofill suggests usernames.

This is a new feature we're adding in iOS 12.

The user proceeds with the suggested username.

And eventually, the password field becomes first responder.

Autofill automatically inserts a strong password into the password field.

At this point, the user only needs to proceed with the suggested password and sign up.

Autofill takes care of saving the password.

In many cases, this happens automatically without any adoption requirements in your apps.

However, in order to ensure your app's compatibility with Automatic Strong Passwords there are a certain number of steps you should take.

Many of these steps are identical to those Chelsea explained to make your apps compatible with saving.

Make sure to tag your username field with UI textContentType username.

New in iOS 12, make sure to tag your new password and confirm your new password and confirm new password fields with UI textContentType newPassword.

If you're using a UI table view to represent your signup form make sure to use unique instances of UITextField for the username and the password field.

This is important, because once Autofill detects username and password fields, it expects to be able to reliably read their values later on.

Some of you might have changed password forms in your apps.

Automatic Strong Passwords is compatible with change password forms if Autofill is able to detect username and password fields on the same screen.

Note that the username field can be Read Only.

Best practices that we discussed for signup forms, also, apply to change password forms.

Now, let's take a moment and talk about the format of these generated passwords.

The generated passwords are 20 The generated passwords are 20 characters long.

They contain uppercase, digits, hyphen, and lowercase characters.

This gives you a strong password with more than 71 bits of entropy.

We designed this to be a strong, yet compatible with most services.

It is, of course, possible for your apps to define their own custom password rules.

As I mentioned before, in most cases, you don't need to do this because the default format of Automatic Strong Passwords should be compatible.

However, if your app's backend requires a separate set of rules that are not compatible with the default format of Automatic Strong Passwords, you could define your own rules.

To do so, use the new password rules language in iOS 12.

Following the format of the password rules language, create a rulesDescriptor.

Using the rulesDescriptor create an instance of UITextInputPasswordRules and UITextInputPasswordRules and assign it to the password rules property of UITextField.

Once you do this, Automatic Strong Passwords will generate passwords based on these rules.

We have also created a new web-based Password Rules Validation Tool.

Use this tool to ensure the rules that you specify are correct and produce the type of passwords that you expect.

I'll talk more about this, shortly.

Now, that we talked about the steps it would take to make your apps compatible with Automatic Strong Passwords, I'd like to show you a demo.

I'm the developer of the Shiny app and I want to make sure that Shiny is compatible with Automatic Strong Passwords in iOS 12.

So, the first thing to do is to run Shiny using the iOS 12 SDK and try it out.

So, in Xcode I'll click on Run.

And here is Shiny.

I'll tap on Create Account.

I'll tap on Create Account.

Tap on Email.

And I don't see any suggested username.

When I tap on the Password field I don't see any Automatic Strong Passwords suggestion, either.

So, let's go back to Xcode and investigate this, further.

The first thing to make sure of is associated domains for your apps.

In this case, I've already ensure that Shiny has an associated domain.

In fact, earlier today I was able to get Autofill suggestions when I wanted to logging into Shiny.

Next, you should take a look.

You should take a closer look at your signup view controller.

I'll click on the Email field.

And here, under Text Input Traits, Content Type, I see that I'm correctly setting the content type to username.

And because I want the format of this username to be of type email address, I'm also email address, I'm also correctly setting the Keyboard Type to Email Address.

So, this is good.

Let's take a closer look at the Password field.

I see that the Content Type is set to Unspecified.

This should, actually, be set to New Password.

So, I'll select New Password, here.

And because this is a password field, I'm going to mark it as Secure Text Entry.

All right.

Let's run Shiny again and try it out.

:15 Okay. Tap on Create Account.

Tap on Email.

Here, I see I'm getting suggested username, now.

I'm going to go ahead and proceed with the suggested username.

I also, see Automatic Strong Passwords.

So, in most cases, this should be enough and you should be done.

Let's proceed with the signup process.

For the purpose of this demo, I'm requiring Shiny passwords to contain a dollar sign.

This means that we need to specify our own custom password rules for Automatic Strong Passwords.

And actually, the best way to do so is using the new Password Rules Validation Tool.

Using the tool, I will be able to specify correct password rules, and also, ensure the rule will produce the type of password that I expect.

So, let's jump right in.

This is the new Password Rules Validation Tool that you can have access from developer.apple.com.

For the purpose of this demo, I'm allowing uppercase, lowercase, digit, and requiring at least a dollar sign to be present in my password.

At the bottom of the page I see some examples of the password generated.

I also, have the option to download a number of these passwords in case I need to run some tests in my app's backend.

Once I'm happy with the formatting of the passwords I have two options.

If I'm making a native app for UIKit, I can go ahead and copy the rules formatter for UIKit.

Or if I'm making a webpage I can copy the HTML formatted rules.

For this demo, since we are making a native app for UIKit, I'm going to go ahead and copy the UIKit version.

And once I've copied it, all I need to do is go back in Xcode, select the password, and paste in the rule in the Password Rule text field.

Now, let's run Shiny, again.

Okay. I'll tap on Create Account.

Tap on. I'm going to go ahead and proceed with the suggested and proceed with the suggested username.

And at this point, the password should be compatible with the rules that I just specified.

Let's proceed with the signup.

And just like that, I'm in.

[ Applause ]

Thank you.

We just saw how easy it is to make your apps compatible with Automatic Strong Passwords.

Than you, Reza.

As Reza showed you, these are some steps you can take to ensure that Automatic Strong Passwords works in your app.

Make sure to associate your app with the domain on the Web, just like filling and saving passwords.

Make sure to tag your fields with the username and new password content types.

Ensure that signup is detected by checking that when you sign up for your app the password is saved.

Most of you will be done after doing these three things.

However, if your service is not compatible with Apple's password compatible with Apple's password generation format you may want to use some password rules on your password text field.

To ensure that Automatic Strong Passwords generates a compatible password.

By ensuring that Automatic Strong Passwords works well in your app, you're setting your users up for success by encouraging them to use a strong unique password in your app.

Some of your apps and services may use SMS, or security code sent via SMS to your users.

I'd like to invite Harris to the stage to discuss how you can service these codes right in your app.

[ Applause ]

Awesome.

Thank you, very much, Chelsea.

Hello, everyone.

My name is Harris and I am super stoked to talk to you about Security Code Autofill.

But first, this section needs a little bit of audience participation.

So, show of hands, how many of you have ever gotten a text message that looks something message that looks something like this?

All right.

I think it's fair to say that most of us have to deal with these codes on a fairly regular basis, these days.

All right.

Question of the second, after getting one of these text messages how many of you go through a process like this?

Where you think you have the code memorized, you type it in, you switch the last two digits around, and then you have to do it all over, again.

Let me see those hands.

All right.

Final question.

After going through this process, how many of you feel something like this?

All right.

So, let me tell you it doesn't have to be this way.

Because starting in iOS 12 and macOS Mojave, we're introducing Security Code Autofill.

A brand new feature which takes all the pain and frustration out of message based second factor flows.

Now, it is important to note that Security Code Autofill does that Security Code Autofill does not alter the calculus around the security of second factor methods.

What it merely does is remove the indignity out of having to type the code in yourselves in the age of computers.

Nothing more, nothing less.

[ Applause ]

So, starting in the new iOS and macOS, instead of exercising your memorizing skills you get to do something like this.

Just one tap, right on the QuickType bar, and you're signed in.

And hopefully, at the end of this process, you feel a little bit more like this.

All right.

So, let's talk about some technical details.

As with other Autofill features, Security Code Autofill will work in your apps right out of the box, most of the time.

Still, you can do just a tiny bit of work to ensure that Security Code Autofill works every single time.

We've told you this before but We've told you this before but tag your fields.

In iOS 12 we're introducing a new UITextContentType with the value oneTimeCode.

Tag your security code fields with this and Security Code Autofill will work every time.

Additionally, it is very important that you allow usage of the system keyboard for inputting these codes.

Tempting as it may be, you should refrain from building Bespoke keyboard UI's within your view hierarchy or setting custom input views in your controls.

Because if you do so you are preventing iOS from surfacing the necessary UI or injecting the appropriate events to type the code in on behalf of your users.

And additionally, you may be hampering the experience of folks that leverage accessibility technologies like voiceover.

So, bottom line is let the system keyboard do the heavy lifting for you and Security Code Autofill will work every time.

Another step that you can take to ensure that Security Code Autofill works great with your Autofill works great with your service is to craft your text message, accordingly.

iOS and macOS use data detector heuristics to infer that an incoming message carries a security code.

Specifically, our heuristics are looking for words like code or passcode in proximity to the actual code string.

And you can see a few sample text messages in different languages in the slide behind me.

Now, verifying that your specially crafted message properly triggers the iOS and macOS heuristics is super simple.

You can be your own best friends and simply text yourselves.

Then, when you go into the message transcript and you see the code being underlined and tapping the code offers you a Copy Code option, you know you have it right.

Security Code Autofill is available in all supported locales of iOS and macOS.

And if after following these best practices you find that you cannot get Security Code Autofill to trigger appropriately inside of your app appropriately inside of your app or website, please let us know by filing a bug report.

We'll be looking out for them.

So, so far, we've talked about getting Security Code Autofill to work within your native iOS apps.

Security Code Autofill is also available in iOS Safari on websites and, and this is pretty cool, if your users are signing into your service in Safari on their Mac, text message forwarding securely pushes incoming messages from their iPhone to their Mac.

Now, what this means is that they can fill in a security code with a single click in Safari's completion UI.

You no longer have to switch back to Messages to copy the code out or, you know, go find your iPhone all the way across your home.

It's really cool.

[ Applause ]

To support Security Code Autofill in Safari, we are introducing a new input autocomplete attribute value one-time-code.

In fact, all of the UI Text Content Types that you heard about today have web platform equivalents that you can leverage to ensure a smooth seamless autofill experience in your websites, just as well as in your apps.

You've heard this before but tag your form fields this time and Autofill will work great every time.

So, this was a brief introduction to Security Code Autofill, a brand new addition to iOS 12 and macOS Mojave that takes all the pain and all the frustration out of message based second factor flows.

Now, with the Autofill features that we've introduced today, it becomes super simple for you to build a relationship with your users while safeguarding their security and respecting their privacy.

Still, some of you may find that you have to support federated authentication flows with third party providers, such as popular social networks.

For those of you among the audience, we are introducing in audience, we are introducing in iOS 12 a new API to support such flows.

We call it ASWebAuthenticationSession and I would like to show you how it works.

Now, here I am back in the Shiny app.

And this time I will choose to log in with example.com, a super popular social network.

Now, as soon as I tap the button the app under the hood calls in to the new ASWebAuthenticationSession API.

Now, one of the ways in which ASWebAuthenticationSession makes logins faster is by sharing its underlying cookie storage with Safari.

Now, of course, before we do any of this, iOS asks for explicit user consent.

Upon consenting, the user is presented with a secure view controller and guided through the third party's federated authentication flow.

In this case, I'm already signed into example.com in Safari on my iPhone, so all I have to do is tap Allow.

There we go.

And with just two taps I've gone through a full federated authentication flow with a third-party service.

So, in the past you may have used one of the other iOS platform technologies to implement federated authentication inside of your apps.

Starting with iOS 12, ASWebAuthenticationSession is the go-to way to implement such flows.

As we mentioned, already, ASWebAuthenticationSession makes login flows faster by sharing its underlying cookie storage with Safari upon explicit user consent.

Now, what this means is that depending on the implementation of the federated authentication flow by the third party.

If your user is already signed into that service in Safari on their device, they may not even have to see a login form, at all.

If they do have to see a login form ASWebAuthenticationSession supports Password Autofill and Security Code Autofill to make the experience as painless as possible.

And for you developers, ASWebAuthenticationSession ASWebAuthenticationSession offers a straightforward block-based API that makes adoption super simple.

So, let's take a look at it.

Now, let's see how simple it is to implement federated authentication using ASWebAuthenticationSession.

You're going to start off by importing the brand new AuthenticationServices framework.

And then, you simply define the oauthURL as it's described to you by your third-party authentication provider.

Now, following this you will create an ASWebAuthenticationSession object.

You're passing the oauthURL and a callback handler that gets involved at the end of the authentication session.

Now, it is crucial that you hold onto a strong reference to the authentication session object while the session is in flight.

And by doing so, you also have the ability to cancel an ongoing session should you choose to do so.

Finally, you call the nonblocking start method.

Upon doing so, first iOS will ask for user consent to share ask for user consent to share the underlying Safari, the underlying cookie storage that Safari has with your session.

And then, the user is presented with a secure view controller and guided through the authentication flow.

When the user completes the authentication flow or if they cancel out of the authentication session, your completion handler gets involved and you can handle the result.

And that's how simple it is to implement federated authentication in iOS 12, using ASWebAuthenticationSession.

It only takes a few lines of code.

Starting with iOS 12 this new API is the go-to way to implement federated authentication and it replaces SFAuthenticationSession.

If you find that you have to support federated authentication inside of your apps, we strongly encourage you to adopt this new API.

And with that, I'll turn things over back to Chelsea, to talk to you about a number of super cool new password management features that we built right into iOS 12 that we built right into iOS 12 and macOS Mojave.

Thank you, very much.

[ Applause ]

Thanks, Harris.

I'm really excited to tell you about some of the new features that the iCloud Keychain Password Manager gives you in iOS 12 and macOS Mojave.

You may have seen some of these in the State of the Union, yesterday.

What we've talked about, so far, is how you can help users log into and create accounts in your app.

However, there are some cases when users will be interacting with accounts for your app when they're outside of the context of your app.

For these cases we've added some features to the iCloud Keychain Password Manager to make managing and interacting with these accounts a breeze.

If a user needs to look up a password, they can now simply ask Siri.

They'll be taken right to their password after authentication.

This way, they can read off their password to type into another device that doesn't have iCloud Keychain.

Some users may share account Some users may share account information for services like utilities.

In order to share this information, users can now AirDrop passwords to their contacts.

On iOS 12 the password list UI is redesigned so it's more scannable and delightful to interact with.

The password list UI in macOS has been redesigned, as well.

And it looks great.

Another new feature of the iCloud Keychain Password Manager is it now warns users if they're reusing passwords across multiple websites.

When the user taps on one of these passwords they'll be given the option to change their password on the website.

Automatic Strong Passwords on the web can help them update to using a strong unique password for that service.

The Password Reuse Auditing feature is built right into the Safari Passwords List on macOS, as well.

Last but not least, your tvOS Last but not least, your tvOS apps can now offer to autofill from a nearby iOS device.

[ Applause ]

In order, to learn more about this incredibly convenient feature see the Password Autofill section of the What's New in tvOS 12 session.

In summary, Autofill is a powerful platform feature that helps users interact with accounts in your apps.

As we discussed, the features that we talked about today may work with no changes to your app, however, it's important that you test your app with these new features.

Apply the recommendations that we discussed today.

If after applying these recommendations, Autofill is not working as you'd expect, please file a bug report.

We'd love to hear from you.

To use the Password Rules Validation Tool that Reza showed you during his demo, you can visit the URL listed here.

Here are some related sessions you might be interested in.

you might be interested in.

If you're a developer of a password manager, see Implementing Autofill Credential Provider Extensions.

If you'd like to learn more about Password Autofill for apps, see Introducing Password Autofill for Apps from WWDC 2017.

And if you'd like to talk to us or you have questions about any of the content we've covered today, come to the Safari, WebKit, and Password Autofill Lab after this session.

We've also got a couple more, later in the week.

Thank you, so much, for attending and have a great WWDC 2018.

[ Applause ]

Apple, Inc. AAPL
1 Infinite Loop Cupertino CA 95014 US