Automatic Strong Passwords and Security Code AutoFill

Good morning. Welcome to Session 204, Automatic Strong Passwords and Security Code Autofill.

My name is Chelsea.

You may have seen Automatic Strong Passwords and Security Code Autofill in the State of the Union, yesterday. I'm really excited to tell you more about these features, today.

These new features and other features in iOS 12 will help users log into and create accounts with ease in your app.

If you have a login screen or an account creation screen in your app, this session is for you.

A major pain point for users is dealing with passwords.

They can be a pain point, even for people that use the best practice, which is to use a password manager to create and fill passwords for them.

For everyone else it can be tempting to do something easy but insecure, like reuse a password they're already using on another service or use an easy to guess password that they can memorize.

We know that the most private secure thing for your users is to use strong unique passwords for each service that they use.

We've all heard of breaches in services that result in users' passwords being exposed. Users then need to go and change their password on every service where they were using it.

The features that we'll discuss today will help users choose strong unique passwords for your apps.

This way, you both help users that are trying to consciously use best password practices, as well as your users that would rather not think about passwords.

Many of your users use the iCloud Keychain.

The features that we're going to talk about today are built on top of the Keychain.

It has best in class security and it protects users' passwords behind biometric authentication.

Apple does not have access to the credentials stored in Keychain, so users' privacy is preserved, as well.

The iCloud Password Keychain Manager can help users log into and create accounts in your app.

We've added some new features on iOS 12 to help make account creation and login even easier.

I'm really excited to show you these features with a demo.

So, I'm going to go to the Shiny app.

This is my favorite demo app for creating an account and logging back into it. So, I'm going to go ahead and create-- and tap create account.

I'll focus the email field and you'll see that I've been given a suggested username.

This is a new feature on iOS 12.

These suggested usernames are based on credentials that the user already has stored in the Keychain.

Since I always use Chelsea@example.com, I'm going to select that as my username.

Without another tap, the password field is focused for me and a strong unique password has been provided.

I'm also told that I can go and look up this password in Settings at any time. So, if I need to go and type it onto another device where iCloud Keychain is available, it's available to me.

So, I'm going to go ahead and use this strong password and sign up.

So, with just a couple of taps I'm logged back into the Shiny, or I'm signed up for the Shine app.

Now, let's fast forward through all of the other account setup. I've turned on second factor authentication.

And let's look at what logging back into Shiny looks like. So, I'm going to go ahead and tap the email field.

As you can see, the credential I just created is suggested right on the QuickType bar.

Going to select that. And then, after Face ID, my password and username are filled and I can log in.

Now, I've set up second factor authentication.

Normally, I'd need to try to memorize this code or go back to Messages. But as you can see, the code that I just received for second factor authentication is right on the QuickType bar.

So, with one tap I can fill the code. Yeah. It's really awesome.

So, I can fill that code, submit, and again, with a minimal number of taps I'm logged back into Shiny. Back to the slides. So, as you saw, creating an account with Automatic Strong Passwords is quick and easy.

I didn't think about the password, since one was provided for me and inserted into the password field.

I also didn't think about the password when logging back into Shiny.

Passwords have truly become an implementation detail to logging into my app with Automatic Strong Passwords and Password Autofill.

Here's today's agenda.

First, we're going to do a quick recap of Password Autofill, since many of the features that we'll talk about today are built upon that feature.

Next, we'll talk about how to ensure that Automatic Strong Passwords works in your app. Then, we'll talk about Security Code Autofill.

Next, we'll talk about federated authentication with a third-party service.

And finally, we'll discuss some new password management features that the iCloud Password Keychain Manager provides.

In iOS 11, we introduced Password Autofill for apps.

Some of the new features that we're going to discuss today are built upon the same adoption you may have done for that feature.

Password Autofill helps users log into your app by surfacing credentials right on the QuickType bar.

Here's a quick recap of how to ensure that it works in your app.

Passwords in the iCloud Keychain Password Manager are stored based on domains on the Web. Like Apple.com.

Thus, it's important to have an association between your app and the domain on the Web.

This way, we're able to confidently surface credentials on the QuickType bar.

You already have this association if you've adopted Universal Links or Handoff.

The process of adding this association is pretty simple.

You'll have a small change to your apps Entitlements file and you'll serve a file from your domain on the Web.

If you'd like to see an in-depth look at how to set this up, see Introducing Password Autofill for Apps from WWDC 2017.

It's important to always tag your fields with text content type, so that Autofill can be offered at the right place.

Tag your username fields with the username content type.

Tag fields where users are going to be filling, or passwords for existing accounts with a password content type.

If you've chosen not to use Secure Text Entry for your password fields, it's particularly important that you tag your fields with the password content type.

This way, we know we're in a password context.

Now, that we've discussed how to get Password Autofill working in your app, let's talk about some improvements that it has.

Since, iOS 11.3, WKWebView supports Password Autofill.

This helps your users if your login screen is implemented using Web technologies.

New to iOS 12, password managers from the app store can provide information to Autofill.

This means that any work you do to support the iCloud Keychain Password Manager filling credentials in your app, also, helps users of these other password managers, as well.

If you're a developer of a password manager, see Implementing Autofill Credential Provider Extensions.

On iOS 12, we now offer to save credentials when a user logs into your app with a new account.

This way, users can then use these credentials in your app and website on all of their devices.

Let's talk about how to ensure users are prompted to save and