An Apple support document describing the company's new iCloud Keychain makes a surprising claim that it can sync passwords across devices without ever storing them in the cloud.

If true, this would be an important advance in password management, allowing users to create long, complicated passwords on one device and have the passwords automatically sync to their other devices, but without storing data on Apple's servers.

Today, most password managers sync data across devices by storing the data in a cloud service. There are ways to sync passwords directly among devices without cloud storage—for example, with a Wi-Fi sync option in the latest versions of 1Password. However, this requires some extra steps that reduce the convenience a good password manager offers.

Unfortunately, Apple's claim that it has solved this problem does not appear to be true. It may simply be a factual error in the Apple support document, but since this represents Apple's official word on how iCloud Keychain works, we had to test it out.

A user has three options for securing iCloud Keychain. The keychain—which contains usernames and passwords for websites, credit card information, and so forth—can be secured with a simple 4-digit passcode. This is the default option presented to users and thus the one most likely to be used.

With this option, each time a user adds a new Mac or iOS device to iCloud, the user can retrieve his or her keychain from Apple servers by entering the PIN. This PIN must be entered in addition to the user's primary iCloud password. If the user has forgotten the PIN, a new device can be authorized by approving it from a previously authorized device.

A second option for securing iCloud Keychain is identical to the first except that instead of a 4-digit PIN, the user can choose a longer password consisting of letters, numbers, and other characters.

Finally, the user could simply choose not to secure iCloud Keychain with a PIN or a password at all, removing the ability to approve a new device with a passcode. The Apple FAQ we mentioned earlier describes this attribute, as well as the claim that not setting up a security code prevents data from being uploaded to the cloud. Last updated on Oct. 25, the FAQ states the following:

Can I set up iCloud Keychain so that my data isn't backed up in the cloud? Yes. When setting up iCloud Keychain, you can skip the step for creating an iCloud Security Code. Your keychain data is then stored only locally on the device, and updates only across your approved devices. Important: If you choose to not create an iCloud Security Code, Apple will not be able to recover your iCloud Keychain.

I decided to test out Apple's claim that keychain data can be stored "only locally" but still sync across devices. After creating a new Apple account and logging into a new user session on a Mac, I set up iCloud Keychain and skipped the step of creating an iCloud security code as Apple describes.

Using the same account on an iPad, I set up iCloud Keychain. Since I hadn't chosen a security code, I had to approve the iPad from the Mac. During this step, both the iPad and the Mac had to be connected to the Internet simultaneously.

At this point, the iPad's list of saved passwords (available at Settings/Safari/Passwords & AutoFill/Saved Passwords) was empty. Before doing anything else, I put the iPad into airplane mode, disconnecting it from the Internet and my home Wi-Fi network.

Then, I logged into a website on the Mac in Safari. The desktop browser asked if I wanted to save the password in iCloud Keychain, just as it's supposed to. I then turned Wi-Fi on the Mac off, disconnecting it from the Internet and my network.

Since my passwords were supposed to be stored "only locally" according to Apple's support document, they shouldn't be able to sync to another device without some kind of connection to that device. But after waiting a few minutes, I turned airplane mode on the iPad off, and voila! Within seconds my iCloud Keychain data had updated on the iPad.

I repeated the process a few times, never connecting the iPad and Mac to the Internet or a local network simultaneously. Passwords synced across devices without fail. I switched directions, adding a website to the iPad's keychain while the Mac was offline, and it synced in exactly the same way. Even when I added a login to the iPad and then turned the iPad completely off, the new password data still synced to my Mac's keychain as soon as I reconnected the computer to the Internet.

None of this is surprising. Syncing passwords over the cloud is exactly how iCloud Keychain is supposed to work. What's surprising is Apple's claim that it might work in some other way, just because a user chooses a different method of protecting their data in the cloud.

None of the dialog boxes in OS X or iOS make the claim that iCloud Keychain can sync passwords without the cloud, so I'm guessing it's just a mistake in that FAQ. While we don't know exactly how the data is being synced across devices, it's clear that keychain data is not "stored only locally on the device" as the support document states. Clearly, the data is being stored somewhere else, at least temporarily, or it wouldn't have been able to sync in my testing.

The chief difference between using and not using a security code may be the step of creating a cloud-based keychain backup that can be recovered even if you lose all your devices and have to start over from scratch. An iCloud Keychain security overview states, "You can choose to disable keychain recovery, which means that iCloud Keychain is kept up to date across your approved devices, but the encrypted data is not stored with Apple and cannot be recovered if all of your devices are lost."

Even if Apple always stored a backup, eliminating the option of restoring that iCloud Keychain backup with a simple passcode could conceivably thwart an attacker, since in that case the keychain can only be retrieved with physical access to one of the user's devices. So there could be advantages to not using an iCloud security code, but it's hard to say what all the tradeoffs are since Apple's support documents don't explain it in as clear a manner as we might hope.

We've asked Apple to clarify further but haven't gotten an answer yet.

This wouldn't be the first time the company's descriptions of its own security architecture were inaccurate. Research recently showed that contrary to Apple's claims, the company is capable of reading communications sent over iMessage.

Can Apple give your passwords to the government?

We also asked Apple if it could provide a user's passwords to the government if asked to do so. In response, an Apple spokesperson told Ars yesterday, "Apple only sees the encrypted data and does not have the key to decrypt it. Only trusted devices that the users approved can access the iCloud Keychain."

Another Apple document states that iCloud Keychain "Uses 256-bit AES encryption to store and transmit passwords and credit card information" and also "uses elliptic curve asymmetric cryptography and key wrapping." The iCloud Keychain security overview says, "iCloud Keychain encryption keys are created on your devices, and Apple can't access those keys. Only encrypted keychain data passes through Apple's servers, and Apple can't access any of the key material that could be used to decrypt that data."

But if your data is protected with only a 4-digit passcode, it's likely Apple can access it, a security expert told Ars.

Andrey Belenko, senior security engineer of viaForensics, analyzed the iCloud Keychain architecture when it was available as a beta. In an e-mail responding to our questions, Belenko wrote, in part:

Keychain items are always uploaded to and stored in the iCloud in encrypted form. But to sync keychain items across devices there must be a way to access (and decrypt) those items on the client, and this is where it gets interesting. Depending on how you configure iCloud Keychain, different crypto machinery is put to work. If iCloud Keychain is configured to use 4-digit iCloud Security Code (which is a default) then there is additional iCloud service involved: "escrow proxy." In a nutshell, escrow proxy holds encryption keys to the keychain items shared via iCloud and provides those keys to properly authenticated clients. Our research indicates that encryption keys that are stored by this service are encrypted with iCloud Security Code. Since it is only 4 digits, it is trivial to break this encryption. Thus I would expect that Apple is able to access (and decrypt) keychain data for accounts configured to use 4-digit iCloud Security Code, although all data is indeed stored encrypted.

This would require an attacker to have access to the encrypted storage on Apple servers, making it extremely unlikely that it could be pulled off by an outside adversary, he said. Apple itself, though, could "brute force 10,000 possible passwords in almost an instant and decrypt actual keychain data," he said.

If a user instead secures iCloud Keychain data with a randomly generated 24-character password, then it becomes far less likely that Apple could decrypt the data. This method does not use the "escrow proxy" Belenko described.

"Instead, keychain items uploaded to the iCloud are encrypted using this password," he wrote. "This provides much better security against Apple (or anyone with same level of access to its servers) but is far less usable because one will need to memorize/store that 24-character password and to enter it on new devices."

Belenko noted that his research is based on an earlier version of iCloud Keychain. "I have not verified if all the details are still as described above, but I am certain that the general architecture hasn't changed," he said.

Belenko is continuing his research and plans to provide an in-depth review in early December.

We passed Belenko's comments on to Apple today, but we haven't received a response from the company.