Our mobile devices(iPhones, iPads) don’t have iCloud Keychain which seems to have AES 256 bit encryption for storing credentials. The mobile browsers in those devices like Safari, Firefox, Chrome ask users if they want to save their Office 365 email password which is used to login to their desktop devices. I know if the phone, tablet is lost anyone who hacks their phone/tablet passcode can view their passwords.
Users want to choose yes so they don’t have to remember the password, but from a security viewpoint if those passwords are stored by the browsers a rogue plugin/extension in the browsers could send it to another place. There is also risk of password breach if the mobile devices are lost.
A. If a user chooses yes to remember his password in a iPhone/iPad on a mobile browser like Safari, Chrome, Firefox, where does the browser store it and how safe is it?
B. How to convince management to not bow to user’s convenience of remembering passwords in the browser?
C. Can asking users to use a free password manager like KeePass so it remembers the password instead of the browser better from a security viewpoint?
D. Any other suggestions for a situation where we can accommodate user convenience but not risk losing enterprise credentials for an employee who lost his iPhone?