AutoFill on MacOS Big Sur

With the release of MacOS Big Sur Apple now provides a fully integrated way to fill in your passwords on different sites and App, all inside that App or site. There’s no need to switch to your Password Manager and Copy/Paste. Strongbox (as of 1.14.0) now integrates with Apple’s Password AutoFill subsystem to offer suggestions and fill in passwords. This follows on from the iOS integration which has been available for a few years now and has proven very convenient. Finally it has come to Mac.

NB: Mac AutoFill support is only available with Strongbox Pro. You can try this out for free for 90 days with no obligation to buy. We hope you’ll love it.

Note that this AutoFill system on works on Apple’s latest OS (MacOS Big Sur) and only with Apps and Browsers that have upgraded to support the Password AutoFill system. So far, as of post time, the only major browser that supports AutoFill is Safari. We believe this will change over the coming months and we should see ubiquitous Password AutoFill support in most browsers and Apps in short order.

Setup

Setup should be straightforward. In Strongbox there is an Onboarding Wizard that should help guide you through initial configuration. But you can always checkout your Strongbox AutoFill settings by unlocking your database and clicking on the menu item:

Database ‣ AutoFill Settings

You will then be presented with the following screen:

As you can see the first checkbox will hint that you should enable the Strongbox AutoFill component in the System Extensions preference pane. It can be found on your Mac here:

System Preferences ‣ Extensions ‣ Password AutoFill ‣ Strongbox

Once the Strongbox AutoFill extension is enabled on your system the other options will become available in Strongbox’s AutoFill Settings screen. You can enable or disable Strongbox AutoFill individually for each of your databases.

Safari Settings

With Safari being the primary browser for a lot of Mac users, you will also need to make sure Safari is AutoFill enabled. You can find this setting under

Safari Preferences ‣ AutoFill ‣ Usernames and Passwords

Make sure this is enabled. You can read a little more about those settings here.

QuickType AutoFill

One of the most convenient aspects of AutoFill is QuickType. This is where suggestions for credentials are presented to you inline in your browser or App and you can immediately select the appropriate one.

QuickType in Action

You can opt-in or out of this behaviour by checking the ‘Enable QuickType AutoFill’ checkbox on the AutoFill Settings screen.

One More Thing – The Wormhole

Unlocking your database can be a cumbersome process, Strongbox is designed for protection against brute force attacks and therefore requires some heavy processing before it can open your database. Further if you’re not using Touch ID or Apple Watch Unlock entering your master password takes time and is error prone. Strongbox AutoFill has the capability of unlocking your database independently but if it detects that you already have your database unlocked in the background it can establish a secure tunnel or “Wormhole” to request your credentials without requiring authentication or going through the whole unlock and decrypt process.

NB: that you must tap on a QuickType suggested credential for this to work. It doesn’t work if you just select ‘Strongbox’ from the little key dropdown. This is because the AutoFill component can only request a specific credential from a specific database via the wormhole.

This is an optional performance enhancement feature, and again you can opt in to it by checking ‘Use Wormhole Fill if Unlocked’ option on the AutoFill Settings screen.

We really hope you’ll find this new feature super convenient and as other third parties start supporting Password AutoFill we should see some really great results and a smooth painless password filling process for Mac at last!

Update 27 December 2020: It looks like Firefox are aware of this issue but could perhaps use some encouragement in integrating into their browser! See here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1650212

Update 08 February 2021: It looks like Chrome are now aware of this issue but could perhaps use some encouragement in integrating into their browser! Please show your enthusiasm. 🙂

https://bugs.chromium.org/p/chromium/issues/detail?id=1170065#c14

Introducing Virtual Hardware Keys

Introduction

With the release of version 1.49.23 on iOS today, Strongbox now offers the possibility of creating Virtual Hardware Key’s. These are software implementations of the popular hardware tokens from various vendors. Strongbox already supports hardware keys over NFC and Lightning in the Pro edition.

Virtual Hardware Keys are a new feature of Strongbox available to all, free, for life. If you like Strongbox, consider supporting us by purchasing a subscription or license.

The Problem with Hardware Only Keys on iOS

While using a hardware token provides an excellent extra factor for encrypting your KeePass databases, there are (or were!) some downsides that really put a dampener on adoption of a hardware key as a second (or third) factor. One of the main blockers is the lack of support for NFC and Lightning in AutoFill mode. Apple does not allow NFC to be used in App Extensions (the technical term for the execution context of the Strongbox AutoFill component). Some vendors do not offer library support for Lightning (MFI) in App Extensions. This has led to a suboptimal situation whereby you can use your hardware key in the main Strongbox app, but you cannot use the extremely convenient iOS AutoFill feature.

Enter the new Strongbox feature, Virtual Hardware Keys. You can create a Virtual Hardware Key within Strongbox which is a software simulation of the process that takes place on your hardware key, technically a HMAC-SHA1 digest. To do this you will need the secret you programmed your hardware key with originally (something you will or should have stored somewhere very secure in case of device loss). Using this secret Strongbox can mimic your hardware key in software. Strongbox stores this secret securely in the Secure Enclave on your device.

Why Use a Virtual Hardware Key?

There are two main scenarios in which you’ll want to use a Virtual Hardware Key. Let’s deal with them in turn…

1. AutoFill Mode

As mentioned above, you cannot use a hardware key in iOS AutoFill mode due to system limitations. This led many to abandon a hardware key as a second factor on iOS. Because Virtual Hardware Keys are entirely software based, you can use them in AutoFill mode. Further, you can specify that a hardware key is required in the regular Main app (used to edit and provide full access to your database) but that a Virtual Hardware Key should be used in AutoFill mode providing super quick and convenient access to your passwords within other Apps. Both hardware and virtual hardware keys can work on the same database seamlessly.

2. Emergency or Disaster Recovery

While using a hardware token to secure your database provides an excellent level of security, it is very possible to lock yourself out of your database by losing the physical key. Once that’s done, there’s no way to unlock your database unless you have the original secret used to program your key. That’s why, in our setup instructions, we recommend you keep this secret somewhere secure (like a safe in your house and/or offsite).

Now with Virtual Hardware Key support you can use this secret if you lose your hardware token to create a new Virtual Hardware Key and recover your database.

How Do I Create or Use a Virtual Hardware Key?

See our help article on how to create a Virtual Hardware Key for AutoFill mode or disaster recovery.

* This work was inspired by the problems and solutions discovered while adding full YubiKey support to Strongbox. Kudos to everyone on Github for their help.