Safari 15 allows you to save a key and get two-factor codes for Google and many other services. This allows you to not only fill in IDs and passwords for sites, but the two-factor verification code as well. No need to pull out your iPhone or use another app.
You can also watch this video at YouTube.
Watch more videos about related subjects: Safari (150 videos), Security (133 videos).
You can also watch this video at YouTube.
Watch more videos about related subjects: Safari (150 videos), Security (133 videos).
Video Transcript
Hi, this is Gary with MacMost.com. Let me show you how to use the built-in Authenticator in Safari.
MacMost is brought to you thanks to a great group of more than 1000 supporters. Got to MacMost.com/patreon. There you can read more about the Patreon Campaign. Join us and get exclusive content and course discounts.
So with Safari version 15 in both Big Sur and Monterey you can now have Authentication Codes automatically filled in. These are also known as two-factor codes or verification codes. If you go to Safari Preferences and then to Passwords you'll see all the passwords you have saved here. So when you go to log into these sites you can automatically have the ID and Password filled in by Safari. This allows you to use a really strong password since you don't have to type them every time. But most sites also now have two-factor authentication. So in addition to the password you're going to have to enter a one-time code. Sometimes these come over SMS and then you could automatically have those filled in using a cool feature on your Mac that does that. Other times you need to use an authentication app. For instance Goggle Authenticator is a very common one. Use that for Goggle but also whole bunch of other services as well.
So for awhile now Password Managers, like OnePassword, have allowed you to get these authentication codes. But now Safari does as well. Safari can not only fill in your ID and Password but also the current one-time verification code. Let's look at how to set that up.
So, as an example I'm going to use a Goggle account. So I've got my demo Goggle account selected here and now I go to Edit to take a look at it. So here I can see the User Name and Password and also the website at the bottom. I could also add the verification code here. Now, of course, verification codes only exist for a temporary period of time. Usually about 30 seconds or one minute. They change all the time. So what this is actually going to do is allow Safari to hook into the system that generates these codes. So it can give you the current code. When you click Enter Setup Key go to this screen and you're asked to enter the Setup Key. Now to get that Setup Key you have to go back to the site that you're using. So in this case Goggle.
Let's take a look at what to do in Goggle to get this Setup Key. So here I am in Goggle and I'm logged into my account. If I click on that I can go to Manage Goggle Account. Then if I go to Security I can go down to Two-Step Verification, you can see it's turned On. So once I'm in Two-Step Verification I can either turn it On, in which case I get this code that I need, or I can change it. So I'm going to Change right here and I'm going to select iPhone, Next. You could see it says Setup Authenticator and it gives you this QR code that you can scan using the Goggle Authenticator app. But if you click on Can't Scan It then you'll see you get this Key. So in this case it's this. I will select it and Copy. Then I'm going to go back into Safari Preferences, then click Edit, Enter Setup Key, paste it in there and then hit Okay. Now I can see this code. So I have to use that to verify it. So I'll go to Next, enter it in, Verify and now you can see I've got it all Done.
So now if I go and sign out of Goggle and I want to sign in again it's going to ask me for my Password. I can click here and select the password. Go to Next. Now it's going to ask me for the verification code. When I click here you could see it allows me to fill that in. It grabs the current one. Now I can login without having to go to Goggle Authenticator app on my phone or use another app like Authy or a password manager like OnePassword to get that code. Safari can do it for me.
Better yet it syncs over iCloud. So on my other Mac I also can get that verification code and I can do so on my iPhone and iPad as well. So when you setup a new account the process is pretty much the same especially with Goggle because you create your ID and Password first and then you can go in and add two-factor authentication. Other sites are going to do it differently so you need to look for where they provide that Key for you to enter in. Not all sites are going to be compatible. Some use proprietary systems that are special apps so you can only get that app on your phone. Others are only going to use SMS. They are just going to send you text messages. That should automatically be filled in as long as you turned On SMS forwarding for your iPhone to forward to your Mac then you should get those SMS codes on your Mac and it should recognize that and allow you to fill them in.
Of course, worse case scenario is you just have to look at the message and type the code in yourself. Also, sometimes you'll go to a website and it won't allow you to fill in the code even though you have it here. You can see it when you go into Safari Preferences. In that case you just have to go to Safari Preferences and look at it. If you click here you can copy it so you can paste it in. But it's still better than having to launch a separate app or pull out your phone to get that code.
So I've been using this for a little while and it's definitely a lot better than having to use the Goggle Authenticator App for so many things. I can do everything right on my Mac without having to install an additional app. The bottom line is if it makes you think two-factor authentication easier for people then more people will use two-factor authentication and everybody will be more secure.
I hope you found this useful. Thanks for watching.
I think that Apple would need to provide an iOS/padOS app that could access (i.e. view/display) the content of a user's keychain items (iCloud sync'd) before I'd move away from the facilities provided by password managers. Perhaps there is one that I am not aware of.
Eric: But besides passwords, what else would you want to view on your iPhone? For instance, it doesn't do any good to examine certificates and other things KeyChaiin stores.
Gary Is it available if a MacBook has Safari 15 or one needs to have Big Sur Or Monterey OS?
Lali: I believe you need Big Sur or Monterey for this, and Safari 15 yes.
IMO storing both passwords two-factor codes in the same place (Safari in this case) compromises security. Even more so when the settings that generate the codes are stored in iCloud. It’s the usual compromise between convenience and security - better than not using 2FA at all, but not as good as using a separate app or device to generate the code. Personally, I use a physical key that has to be plugged into my machine, and will only generate a code when touched.
Gary, thank you for the great tip! This will save a ton of time for me. There is still one minor annoyance though: each time after the two-factor code is automatically entered, Safari still prompts me to "update the password", and I still have to press "cancel" instead of "update." Apparently it thinks the two-factor code is a new password. This seems to be a bug that should be fixed by Apple?
Peter: That's not the case. There are still two factors: your device passcode and physical access to the device. It is much much much better to use two-factor than to not. Absolutely. The malicious hacker on the other side of the world just doesn't stand a chance with two-factor. But without it all they need is to guess your password. Using a physical key is good, but note you are doing the same thing then -- physical access to that key would get them the second factor.
Wei: That is probably due to how the website is coded. I see that in one place I go to, but not any others.
Gary: The other things that I would want to be able to view are secure notes. I am aware that the Notes app has this capability but sometimes it is just easier to have these items in one place.
If you use two factor authentication, why would you switch to a verification code? Is one more secure than the other?
Chris: They are the same thing. The "verification code" is the second factor.
Thanks for your reply, Gary. I'm sorry, I don't understand why physical access to the device would be needed to generate the two factor code. In theory at least, couldn't a (very) sophisticated hacker gaining access to, for example, a user's iCloud backup of his/her Safari settings etc) obtain remote access to both the password and the two factor code generator? Why would the hacker need physical access to the user's device itself?
Peter: To gain access to your iCloud backup someone would need your iCloud password and the 2-factor code for iCloud. So they would need to have one of your devices and be signed in with your passcode to get that 2-factor code before they even got into your iCloud account. They need physical access because there is no way to get the 2-factor codes just on a website or other online system. They can't log in somewhere and get a code. They have to have a device that is tied to your account.
In your example using Google I believe in order to have Safari input the authentication codes automatically you first need to set up the Google Authenticator app as the default and then "change" the method for signing in. Is this correct? I use Google prompts to my phone or iPad as the default. Also, does this sync to iCloud so you can use it on your iPhone and iPad as well as your Mac.
Carl: No, you never need to use the Authenticator app at all. But it is the same basic method. This does sync to iCloud, yes.
Thanks but I don't see a "change" option. Listed in order I see "ADD PHONE", "SET UP" Authenticator app, "ADD SECURITY KEY" and "REVOKE ALL" I'm running Big Sur v 11.6 and Safari v 15.0.
Carl: I'm not sure what you are looking at, sorry. Do you mean on the Google site? Add Phone would probably take you there. But if not, try the others too.