Apple Passwords’ Generated Strong Password Format

This post briefly summarizes part of a talk I gave in 2018. All information in this post has been accessible on YouTube since then. There is no new information or news in this post.

On Mastodon recently, jsveningsson@mastodon.social asked me:

Having an annoying argument on Threads about Apple generated passwords. Every iOS Password (like hupvEw-fodne1-qabjyg) seems to be constructed from gibberish two-syllable “words”. Hup-vew, fod-ne and qab-jyg above. Is this all in my head? Am I going crazy? Is the two-syllable thing by design or random?

This is not in their head, they are not “going crazy”, and the two-syllable thing is by design. Let me explain!

I gave a talk in 2018 called, “How iOS Encourages Healthy Password Practices”, that told the story of this generated password format. Although the talk is a bit dated now, it also covers other topics related to password management that, given that you’re reading this post, you might be interested in.

I explain the thinking behind the generated strong password format at 18 minutes and 30 seconds into the video:

To make these passwords easier to type on suboptimal keyboard layouts like my colleague’s game controller, where the mode switching might be difficult, these new passwords are actually dominated by lowercase characters. And to make it easier to short-term have in your head little chunks of it to bring over to the other device, the passwords are based on syllables. That’s consonant, vowel, consonant patterns. With these considerations put together, in our experience, these passwords are actually a lot easier to type on a foreign, weird keyboard, in the rare instances where that might be needed for some of our users.

And we weren’t going to make any changes to our password format unless we can guarantee that it was as strong or stronger than our old format. So if you want to talk in terms of Shannon entropy once again, these new passwords have 71 bits of entropy, up from the 69 from the previous format. And a little tidbit for folks who are trying to match our math — [note that] we actually have a dictionary of offensive terms on device that we filter these generated passwords against and we’ll skip over passwords that we generate that contain those offensive substrings.

So these new passwords are 20 characters long. They contain the standard stuff, an uppercase character. They’re dominated by lowercase. We chose a symbol to use, which is hyphen. We put two of them in there, and a single [digit]. We picked this length and the mix of characters to be compatible with a good mix of existing websites.

And a few more details: These aren’t real syllables as defined by any language. We have a certain number of characters we consider to be consonants, which is 19. Another set we consider to be vowels, which is six. And we pick them at random. There are five positions for where the digit can go, which is on either side of the hyphen or at the end of the password.

So yes, the passwords that Apple Passwords generates do contain gibberish two-syllable “words”. The syllables help them to be memorable briefly, but still not memorizable. I hope this helps!

New Quirks in the Password Manager Resources open source project

Note: This post is intended for people interested in using and contributing to the Password Manager Resources open source project. I am writing it in a personal capacity, as a maintainer and contributor to an open source project that I am passionate about.

I recently contributed two new quirks to the Password Manager Resources open source project that I want folks to know about.

(Quirks? Open source project? This open source project is, “a place for creators and users of password managers to collaborate on resources to make password management better”. The project contains “quirks” — data that pertains to specific websites, that can make the experience of using a password manager on those websites better.)

The first quirk expresses relationships between apps and websites. From the project README:

The file apple-appIDs-to-domains-shared-credentials.json expresses relationships between apps running on macOS, iOS, and iPadOS, and domains that use the same credentials. Information in this file is used by iOS and iPadOS (since version 17.4) and macOS (since version 14.4) for suggesting credentials in apps that do not have an association with domains. The system AutoFill capability makes use of this information to improve the user experience of signing into these apps by giving users inline suggestions of the appropriate credentials when signing in. This works for all password managers that make use of the Credential Provider Extension mechanism.

The JSON file is a map from App Identifier to an array of domains. Domains should be ordered by prominence from most prominent to least. The apps do not need to be distributed on Apple’s App Store.

That is, if you know of an app that doesn’t get specific passwords suggested on the QuickType bar, and instead has a generic “Passwords…” button, you can file an issue about it or contribute a fix.

The second quirk is a bit more esoteric. From the project README:

The file quirks/websites-that-ask-for-credentials-for-other-services-when-embedded-as-third-party.json contains a JSON array of domains that, when embedded as a third party, are known to ask for credentials for other services. For example, some payment processors conduct transactions by being embedded in an <iframe> on a website. These payment processors may ask for banking credentials directly, without using OAuth.

A password manager may wish to not offer to save a new password submitted in such an <iframe>, because the credentials are likely to not be for the service itself.

I love this project. It’s been a delight to work with folks at 1Password, Dashlane, and the enthusiastic users of password managers to make password management better for everyone. If you’re interested in contributing to the project, it’s pretty easy, and you’ll be joining the over 200 people who already have made contributions!

Thanks for dropping by to learn about these two new quirks. :)

XOXO

I’ve never attended a conference before in a personal capacity[1]. Sure, I’ve worked events my employer has put on and spoken at conferences about what I do professionally, but I’d never paid money to show up somewhere just to learn, get inspired, or hang out. That changed a few weeks ago, when I visited Portland, OR to attend the final XOXO Festival.

I genuinely had one of the best times of my life at XOXO. From the first lovely moment until the very last, I was smiling like a goofball. The kind of happy where you spontaneously wiggle or catch yourself skipping a little bit. (I have to assume that other people skip involuntarily when they’re happy. Let me know.)

Why did I have such a great time?

  • Andy Baio and Andy McMillan, the founders, created an event where it was possible to fully participate while having a chance of avoiding contracting COVID–19. The festival had a firm policy around masking indoors and handed out masks to folks who needed them. More importantly, it was possible and convenient to participate outdoors, with a dedicated outdoor area for viewing talks and having conversations. That safety allowed me to actually enjoy myself, rather than feel like I was fighting another skirmish in my war against getting sick with COVID–19.
  • I ran into and got to catch up with internet friends who I had no idea were going, who I hadn’t seen in person since before the start of the pandemic. It was so nice to see them!
  • I got to introduce myself to people who I admire and tell them exactly what their work has meant to me, which I something that I love doing. And some people were kind enough to introduce themselves to me and tell me what my work has meant to them, which catches me off guard every time it happens.
  • The event self-selected for warmth and kindness. If you and another person started chatting, you were pretty much guaranteed to have a pleasant and meaningful conversation.
  • The event also self-selected for people who were comfortable and sometimes eager to talk about burnout, which is something that I’ve slowly been healing from by blowing up my life. I found it really helpful to talk about my feelings around burnout.
  • There was a gentleness to everyone who was there. It felt like we were all doing the work to heal after the collective traumas of the last few years. I had some particularly nice downtime sitting alone, but together, with someone who I had just met.
  • Strangers paid me compliments about choices that I had intentionally made about my appearance in a way that was welcome and not creepy. This by itself was delightful, but it again reflects on the thoughtfulness of the community.

I want to thank the Andys, everyone who sponsored and volunteered to work the event, and all of the attendees for making it such a great time. In a world where many of us are more isolated than ever, I think it’s critically important to connect with people in the way that XOXO facilitated.

If you’ll let me get a little woo-woo for a second: Why are we alive if not to connect with other people? Our consciousness is so precious. It’s mind-blowing that any one of us exists and knows that we exist — let alone that we can share feelings, spaces, and thoughts with each other. To wrap oneself in the blanket of a community where that happens is so beautiful to be almost sacrosanct.

See y’all online,
<3


  1. Okay, fine. I attended a single conference before this one: jQuery Conference 2010: Boston on a student scholarship. Three things about that conference:

    1. My bicycle was stolen the first day of the event; I eventually got that bike back, but whoever stole it messed it up really bad.
    2. I decided to strike up a conversation with John Resig, creator of jQuery. I told him that I thought that jQuery Mobile was a weird name for the framework because jQuery was an all-purpose utility library, but jQuery Mobile was just another super-opinionated mobile UI development framework. He did not ask for that feedback, nor did he want it. I learned a lot from that interaction.
    3. Rebecca Murphey changed my life by giving a talk that could be summarized as, “Learn JavaScript. Stop living your life in frameworks and learn the damn language.”  ↩

Consider Slowing Down When Switching Password Managers

Important Note: Although I work at Apple and am deeply involved in the creation of its new Passwords app, in this post I am speaking only for myself and not for Apple. There is no “news” in this post, or any kind of “inside scoop”. My intention is to help the kind of person who would read a blog post about password managers think about and manage their credential data better.

You may find yourself wanting to move your passwords and verification codes to Apple’s new Passwords app from whatever app you’re using right now. If so, awesome! (And you have great taste!)

In this post I’ll discuss two different strategies for doing this: The Bulk Import Method and The Online Method. The Bulk Import Method involves exporting your data from your current password manager and importing it into Passwords, whereas The Online Method involves moving credentials over one-at-a-time by signing in to their associated accounts, cleaning up your collection in the process.

“The Tortoise and the Hare”, from an edition of Aesop’s Fables illustrated by Arthur Rackham, 1912
“The Tortoise and the Hare”, from an edition of Aesop’s Fables illustrated by Arthur Rackham, 1912; Get it?

As you read through this post, I challenge you to consider slowing down when moving your data. Rather than expect the process to take ten minutes, use the once-every-ten-years event of switching password managers as an opportunity to scrub your data, create some passkeys, enable two-factor authentication, and touch base with old websites and apps that might have something to offer you. By using this process, you’ll have a clean start with your beautiful new app, prove to yourself that all of your data made it over, and expedite the process of actually, finally, for real, ditching your old password manager.

Okay, let’s define and discuss the two methods.

The Bulk Import Method

As of the publish date of this post (September 2024), it is only possible to do a bulk move of your data with a Mac. It is relatively uncommon for password managers for iOS and iPadOS to offer exporting and importing functionality. Although it’s possible to import your passwords into Apple Passwords from Safari or the Passwords pane in System Settings prior to macOS Sequoia, I strongly recommend doing it from the Passwords app on macOS Sequoia, because its importer is more robust than the one in older versions of macOS.

The Bulk Import Method is ideal when Passwords is not currently the canonical home of any of your data, but you want it to become that single source of truth. Why? Because if there is no data in the Passwords app, importing (and verifying) new data will go more smoothly. Consider this: if you don’t know, across multiple password managers, which of your entries is current and which are old-and-busted, you can’t really expect today’s software to know that for you. The messier your data, the more you should consider augmenting The Bulk Import Method with The Online Method.

Either way, I recommend starting clean in Passwords. Removing old, non-canonical entries will allow the import to go more smoothly. The Passwords app has a “Recently Deleted” section, so it’s always safe to delete something in the app.

In the Passwords app, you can trigger an import from the File menu › Import Passwords…

Dialog from the Passwords app. It reads: You can import passwords with a CSV file. You can export a CSV file from Passwords or from another password manager. Imported passwords won't replace any existing information you've saved, and you'll be able to review any passwords that couldn't be imported.

The software will ask you to provide a CSV file containing your passwords exported from your current app. Treat that plaintext CSV file of your data like a hot potato or contamination that you need to clean up! It has all your passwords in it! For you, being safe may involve not saving it to a cloud filesystem, putting it in a place where backup software won’t capture it, and deleting it as soon as you’re done with it.

The Passwords app may tell you that it could not import some of your data. If this happens, it’ll offer guidance for dealing with data that conflicts with data Passwords already has saved, and it’ll tell you when some entries weren’t able to be imported because the shape of the data didn’t fit with what Passwords supports.

If you’re like me, after you’ve imported your data, you’ll say to yourself, “That’s it? I’m done?” You’ll relax for a moment, and suddenly blurt out, “Wait, how do I know that all of my data correctly made it over? I guess I’ll have to keep my old password manager around forever, just in case?”

Good news! Applying The Online Method can give you the confidence to ditch the old app forever.

The Online Method

With or without a Mac, there is a straightforward but time-consuming way to move your data that will give you 100% confidence that you’ve moved it all over. I call it The Online Method because it encourages you to touch base with (read: sign in to) every online service you have an account saved for. The “algorithm” for this method, is, roughly:

  • for each credential entry in your current password manager with a website:
    • sign in to that website with the assistance of your current password manager
    • accept Passwords’ offer to save your user name and password
    • if you have a time-based one-time password or TOTP (a rotating verification code like you’d see in Google Authenticator) attached to the account:
      • visit the security settings for the website
      • turn off the current time-based one-time password enrollment
      • set up a new time-based one-time password:
        • if offered a QR code to scan with your phone, first try to right-click or tap and hold on it; in many cases you’ll be offered an option to “Set up Verification Code” or “Add Verification Code in Passwords”
    • critical: sign out of the website and then sign back in, only with the assistance of AutoFill from the Passwords app, ensuring that your next sign-in experience will be effortless
    • optional but recommended: fix up your account security while you’re there
      • if your password is one that you created — that is, if it has any kind of emotional significance or human-readable pattern in it — upgrade it to a strong password
      • create/add a passkey to your account, if the website offers it
      • turn on “two-factor” or “multi-factor” authentication for the account; see the tip above for the easiest experience when setting up verification codes in Apple Passwords
    • if the online service does not exist anymore:
      • choose whether to delete or keep your old credentials; I recommend not being precious about them; if by some miracle the defunct service comes back, you’ll almost certainly be able to reset your account via your email address
  • for each credential entry in your current password manager without a website:
    • manually add the information to Passwords (the Passwords app accepts entries without websites)
  • for each non-credential entry in your current password manager:
    • find a home for it in Passwords or a password-protected note in Apple Notes

Benefits of The Online Method

  • When you’re done, your collection of credentials will all be for valid accounts that you care about, eliminating that “wild west” or “junk drawer” feeling in your collection. Given that we live so much of our lives online, a clean password manager can be the difference between logging in to get the tickets and buying them aftermarket.
  • If you go on the optional and recommended side quest, your accounts will have a better security posture!
  • This one’s a little goofy and sentimental, but I mean it: you may remind yourself about things you care about or once cared about. If you’re like me, you’ll feel wistful when re-visiting the outposts of your online life.

The Online Method is almost Marie Kondo-like; you touch each of your saved items and ask yourself, “Does this spark joy?”

You Can Combine Both Methods

If you bulk-import your passwords, you can then clean them up using The Online Method. You’ll use the steps above, but now the “your current password manager” referenced in the first line is Apple Passwords. This can save you a lot of time while still delivering the benefits of slowing down.


I know, I know. I wrote an entire post advocating for manually doing work when there’s a more automatic, less involved alternative available. You might think I’m encouraging you to defrag your password manager. And if you’re not convinced, that’s totally okay! But I’ve found that there’s a special feeling that comes from knowing that any one of my mission critical systems is clean.

Anyway, I hope you found this post helpful! Take care, and enjoy the Passwords app!

Changes

In the last few months, I’ve made some important and positive changes in my life. I’ve been letting people know when I catch up with them, but I’d like the changes to be in the open. Hence this post, which is a self-indulgent update on my life for people who either care about me or take an interest in me. I’m not writing this to make any kind of larger point or statement, and none of this is newsworthy. Please don’t ruin my day by linking to this post from a tech blog.

tl;dr:

  • For the first time since July of 2011, my primary residence is not in California. I’ve moved back to the East Coast of the United States and will be spending most of my time there.
  • For now, I’m living with my mom in upstate New York, somewhere between Poughkeepsie, NY and Danbury, CT. My mom has several health conditions, including chronic pain and memory impairment, that my sister and I have been helping her manage. My sister has been local, and until recently, I’ve been a painful ~3,000 miles (roughly 4,800 kilometers) away.
  • The impact I’ve been able to have in the time I’ve been here so far has been reassuring; I’m so happy to be nearby and able to help. And I love my mom and sister. It’s healing to be able to cook for and have dinner with them more than a week or two out of the year.
  • Eventually, I plan to live somewhere between Brooklyn, NY and Somerville, MA. I don’t know how long it’ll take me to move, but I’m not in a rush. I’m spending some much-needed quality time with my family while I figure things out.
  • I still work at Apple on passkeys, password management, the best feature ever made, and more generally, app/website authentication technologies as a software engineer. I feel and have reason to believe that my best work is still ahead of me. :)
  • This means that I no longer manage the Authentication Experience team. The team is now managed by one of its founding engineers and is in excellent hands. I couldn’t be happier with the direction the team is going, and it’s so cool that I’m still working with the team I founded.
  • I’ll be visiting the San Francisco Bay Area regularly for work purposes.

I feel really, really good about these changes and I’m thankful I’ve been able to make them. I appreciate the support I’ve gotten from my friends, my colleagues, and especially my manager.

Imagined Questions and Actual Answers

When did this all happen?

My role at work changed in October and I moved in late November.

How did you figure out you wanted to move back to the East Coast?

It’s complicated. I’ve known for over half of my time in California that I’ve wanted to leave, but I felt like I would never do anything to make it happen — that I was stuck.

What finally changed is that the anxiety I felt from being isolated during the (ongoing) COVID pandemic all but broke me. To cope, I finally started regular talk therapy. Years of therapy and talking things out with close friends helped me realize that I could prioritize leaving California, and no matter what else happened, things would be OK. I would be OK. That I have the support and skills to disrupt things and land on my feet.

So you live in New York state now? Can we hang out?

Yes! If we’re friends, please reach out. I can easily take a train down to the city or drive further upstate, to Connecticut, or into Boston, especially if I can crash with you.

I’m outside of that area, but can you come and visit me?

Yes! If we’re friends, please reach out. I want to spend more time with people who I care about, so even if we’ve fallen a bit out of touch, I’d love to hear from you.

Also, if you or someone who you know lives in a metro area and would like your house and/or pets looked after while you travel, please get in touch. My lifestyle now supports some modest, low-effort travel that’s fun for me and potentially helpful to other people.

At one point, didn’t you try really hard to get far away from where you’re now living in upstate New York?

Absolutely. I am struck by how much has changed — how much I’ve changed. I’ve rearranged some important aspects of my life to work better with my priorities, but also, I have ways of mitigating the downsides of living in a rural area that I didn’t have when I was in high school, like having the familiarity and resources to get on an airplane.

Whether or not “everything” “works out”, right now, I am so relieved that I finally did something.


If you made it this far, thanks for caring. 💚

Twitter’s Decision to Limit SMS 2FA is Dangerous

Some background on me: I’m a software engineer working in what I call “usable security”. I’m passionate about this field because advancements can tangibly improve people’s lives, making their computing experiences easier and accounts more secure at the same time.

This post contains some of my personal thoughts. It does not represent anyone else or any organization other than me, including and especially my current employer. The purpose of this post is to educate people about the intersection of account security and usable software and to provide my perspective. I beg you not to link to or quote this post while saying that it represents any organization or company.

What’s happening?

Yesterday, Twitter announced that it is discontinuing text-message two-factor authentication for accounts that don’t subscribe to Twitter Blue. And indeed, Twitter is already communicating this change to its users:

A notice I received from Twitter for Mac

This is a huge deal for a few reasons.

First, despite the efforts of its new owner, Twitter is still a hugely important and influential service, with many notable and powerful users. We are all-too-familiar with the fact that a tweet can become a highly-impactful news story. A particular Twitter account becoming compromised can trigger real-world confusion and conflict.

And consider the years of Twitter DMs you may have and that other people have. By March 19, a month from now, up to approximately 75% of accounts using 2FA on Twitter will no longer be protected by 2FA1. That’s big.

But perhaps even more interestingly, this decision from Twitter is a big deal because it has many people who don’t ordinarily consider their security posture thinking about two-factor authentication and account security. Many people are asking questions about what this announcement means for their Twitter account and for two-factor authentication in general. Some folks are feeling blackmailed into purchasing Twitter Blue or otherwise personally under attack.

These feelings are reasonable: People’s accounts matter a lot to them, the global economic conditions mean that not everyone has the money for another subscription, and recent developments at Twitter are extremely polarizing.

In this post, I’ll explain what two-factor authentication (“2FA” from hereon in) is, what it does and doesn’t do, the benefits of text-message two-factor authentication (“SMS 2FA” from hereon in), why Twitter made this decision, how Twitter can restore some of the benefit from SMS 2FA to its non-paying users, and why passkeys will ultimately be the solution for account security for services like Twitter.

Two-factor authentication

The Account Security report on transparency.twitter.com says:

Two-factor authentication (2FA) is one of our strongest protections against account compromise. Enabling 2FA ensures that even if your account password is compromised (perhaps due to the reuse of your Twitter password on other, less secure, websites), attackers will still be blocked from logging into your account without access to the additional authentication required.

This is a good explanation of 2FA because it focuses on the impact of using it, rather than some indirect appeal to the virtues of “factors” involved in authentication. The explanation is specific, directly addressing the main threat that Twitter’s 2FA is mitigating against: password reuse.

The page continues:

In general, SMS-based 2FA is the least secure due to its susceptibility to both SIM-hijacking and phishing attacks. Authentication apps avoid the SIM-hijacking risk, but are still susceptible to phishing attacks.

This is also true, and communicated clearly. There are limitations to both SMS 2FA and “Authenticator apps” 2FA.

That said, we should not and cannot consider the effectiveness of a security mitigation without also considering its usability and its effectiveness. The “most secure” authentication scheme in the world will be limited in its impact by how accessible and user-friendly it is. The time and effort it takes for a person to set up what Twitter calls “Authentication apps” stymies their adoption. The fact that hardware security keys cost money naturally limits peoples’ interest in them.

SMS 2FA has documented and frequently-discussed limitations in terms of the security benefits it provides. It can also trip people up in terms of usability, like when people switch phones, or when they can’t receive texts at their phone number, like when they’re on an airplane, or sometimes when they’re traveling internationally.

Despite its limitations, I’ll argue that SMS 2FA is a huge success story in actually reducing the harm caused by weak and reused passwords.

The benefits of SMS 2FA

It’s pretty common to see technology enthusiasts say something like, “SMS 2FA is insecure and no one should be using it.”

I strongly disagree with statements like these because they don’t contain enough nuance, or even an acknowledgment that different people face different kinds of threats. The thinking here isn’t accurate, and inaccuracies in how people think about account security cause harm. I can’t help but read statements like these as, “Because I understand a flaw in a technology and am capable of using an alternative, no one should make use of that technology.”

A critical tool that the security community uses to think through problems is called threat modeling. Threat modeling helps with thinking through potential threats for a particular person, or group of people and ways of mitigating those threats, even if the mitigations aren’t absolute or foolproof. Threat modeling helps security teams tangibly help people without letting perfect be the enemy of progress.

People who don’t use password manager software — and that’s a lot of people — almost always reuse the same passwords across the services they use. For many of them, SMS 2FA provides value, despite its flaws. Making a person’s weak or reused password not sufficient to gain access to their accounts is genuinely good, even if a very motivated attacker could compromise the SMS channel or phish the one-time code.

Also, consider this: Your bank wouldn’t encourage or require SMS 2FA unless it mitigated real financial harm to them at scale. And scale is key. Twitter’s transparency website reports:

Over the most recent reporting period (July 2021 through December 2021):
2FA Usage
2.6% — Percentage of active Twitter accounts with at least one 2FA method enabled on average over the reporting period.
Types of 2FA
SMS: 74.4%
Auth App: 28.9%
Security Key: 0.5%

As you can see, SMS 2FA is the most prevalent form of 2FA used on Twitter. My theory for why this is is because SMS 2FA is relatively usable and accessible: lots of people understand what it means to give a service like Twitter their phone number and can figure out how to enter a code that’s texted to them.

The rub: It costs money to send text messages

Twitter’s new owner, Elon Musk, is trying to extract as much value from the service as he can as quickly as he can. This has meant finding ways to increase revenues, like pushing Twitter’s paid tier, and cutting costs, like firing large swaths of Twitter’s staff. Eliminating SMS 2FA for non-paid users is the company’s most recent cost-cutting measure. In a reply to @MKBHD, Musk writes: “Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages”

I will be the last person to defend how Twitter has gone about any of its recent decisions, but it’s true that the cost and fraud around SMS are real problems. During my time in the industry, I’ve worked with several organizations looking to reduce costs around sending text messages, and the costs they’ve cited have been significant. That said, none of them decided to charge for the privilege, especially after it had been a baseline feature of the service.

How could or should Twitter restore some of the benefits of SMS 2FA after having removed it?

Let’s pretend that we are account security engineers at Twitter who want to improve user security, but cannot bring back SMS 2FA to non-paying customers.

Send one-time codes via email

Emails are far cheaper to send than texts, and preserve most of the usability of SMS 2FA. A service can reasonably ask a user for their email address to use for authentication purposes and nothing else, if they don’t already have it. And then, the service can instruct a user to check their email for a code, similar to checking their texts.

In this way, one-time codes sent via email have similar usability characteristics as one-time codes sent via text.

Realize that “authenticator apps” isn’t the right framing for time-based code generators

Traditionally, to set up a time-based rotating code for 2FA, one would need to install special software like an “authenticator app”, and then follow instructions for adding a code generator.

This is no longer true, at least on one of the two dominant mobile computing platforms.

On iOS, time-based one-time code generation is built into the operating system. No “authenticator app” is required to install. Apps and websites can easily create buttons or hyperlinks to set up a new generator. (If you have a Twitter password saved to Apple’s built-in password manager, go ahead and try this link to see how easy setting up a verification code can be: Set Up on iPhone. Remember that this is a fake code.) After setup, AutoFill will take care of filling codes.

Although one of both of these approaches may be valuable in the short term, ultimately, they’re both stop-gaps.

Passkeys are the way forward

Throughout this post, I’ve been discussing ways of layering, or bolting on, additional security on top of password-based authentication. However, passwords themselves are the real problem. People need to take extraordinary care to use them in a secure way, ensuring that they’re using strong, unique passwords for every account, and that they never accidentally hand their password to the wrong entity. Not only is this bar impossibly high for casual users of technology, but even a technology enthusiast or “security expert” is vulnerable to phishing.

Passkeys are a password replacement. You can tell that from their name and the ‘pass-’ prefix. Passkeys are an industry collaboration, with advocates like Apple, Google, and Microsoft, and adopters like PayPal and Stripe. They solve the problem that Twitter is mitigating with 2FA: password reuse. In addition, critically, passkeys prevent phishing as it exists today. Rather than ask a human to decide where their account credential can be used, as is the case with passwords, passkeys are securely bound to the service they were created for.

If you’d like to see passkeys in action, please watch this four minute segment from Apple’s WWDC 2022 where I explain what passkeys are, how they work, and why they’re such a big deal.

If you’re reading this, you’re capable of and willing to set up an “authenticator app”; most people aren’t. You might be able to afford and may be willing to purchase a hardware security key; most people aren’t. Giving a service one’s phone number and occasionally entering a six-digit code is something lots of people can do and are willing to do. But ultimately, far more people can consent to save a passkey to their phone and consent to use it to sign in, and by doing so, they’ll be protected from password reuse and phishing.

Of course, no authentication technology is one-size-fits-all. For example, passkeys rely on having access to a personally-owned device and not all people who use online services with accounts own such a device, like a smartphone. But for the vast majority of Twitter’s users, passkeys are the answer.

If the topics of account security and usable software are interesting to you, it’s a lot of what I talk about over on my Mastodon account. Thanks for reading!


  1. My math: the 74.4% number that Twitter has published. That’s a maximum, because a non-zero number of those accounts are subscribed to Twitter Blue. Kudos to Twitter for publishing this data. The transparency benefits the whole industry.