As hard as it is for me to believe, my older child recently turned 18. The age of majority in the U.S. means that they are now able to take charge of–and are personally responsible for–a lot more of their life that my spouse and I managed for them. This includes online accounts that we set up for them at places like government agencies (for passports and ID), Amazon, and the like.
With two-factor authentication (2FA) encouraged or required at many sites, what’s the easiest way to pass control from you to your child while keeping security intact? Here’s a general set of steps that relies on Apple operating systems and iCloud Keychain.
First, log into the account.
Next, copy the account information to your child:
- Apple operating systems: With passwords stored in your keychain on an iPhone, iPad, or Mac (or synced via iCloud Keychain), you can share the entry with your kid. This varies by operating system version and version. In the latest versions: in iOS 15/iPad 15, go to Settings > Passwords, find the entry, and tap the share button; in macOS 12 Monterey, either go to System Preferences > Passwords or Safari > Preferences > Passwords, find the entry and click the share button. Use AirDrop or another method to send it to your child.
- Third-party password managers: With 1Password or other password managers and with a shared vault enabled, you can copy or move the entry to that shared vault. You may also be able to share an entry from the app that can be opened with a free or paid version of the app your child has installed. (Warning! I highly recommend against using Google Chrome’s password manager, as it lacks device-locked end-to-end security provided by iCloud Keychain and major third-party password managers.)
- Read aloud: You can also literally read the password aloud and have your descendant repeat it back to you for accuracy. (Just like the old days: reading aloud to your child.)
Have your kid create an account in their password management app–including Passwords in iOS, iPadOS, or macOS–before proceeding so they can add a verification code in an upcoming step. But don’t have them log in yet.
Update associated data in the account:
- Email: If you’ve been using an email address under your control to manage their account, it’s time to migrate that. Change the email address. You may need to change both an account login address and an email address used for sending messages (some sites manage those separately). Wait until you’ve handed over all account credentials before they click a link to confirm via email to avoid losing access while you’re still transitioning the account.
- Phone number: Change the phone number to theirs. They may receive a confirmation call or text that they can read out to you or show you, and you can confirm for them immediately.
- Mailing address: Update the mailing address if they’ve moved or are just about to.
Finally, shift second-factor authentication over on accounts that require it. If you’re at a site that allows multiple 2FA authenticators that can produce a TOTP (time-based one-time password) used for verification, you can add their authenticator as the next step.
- Choose to add an authenticator.
- Name it descriptively if given an option (you usually are).
- The site displays a QR code and usually the corresponding “seed” text (a shared secret) for the token. Your kid can use an authentication app (I recommend Authy), a third-party password manager with TOTP support like 1Password, or Apple’s built-in TOTP recognition system. If they have an iPhone or iPad, an authentication or password app will bring up a camera view, or use the Camera app for to add to an Apple-managed login. If they don’t, you can read aloud the seed code, and they can enter it in the appropriate place. (See below for more about Apple’s approach.)
- The authentication app or component generates a code on your kid’s device that you then enter to confirm accurate enrollment.
- Delete your authenticator and log out.
For sites that don’t allow more than one authenticator, disable 2FA, log out, and have your child log in with the account and password (first confirming a new email address if necessary via an email link), and then help them enroll in 2FA if they aren’t familiar with it.
Apple supports TOTPs—it calls them “verification codes” directly within iOS 15, iPadOS 15, and macOS 12 Monterey and later. In iOS 15/iPadOS 15, you can use the Camera app to point at a QR code, and then tap an onscreen link to add the verification code. You can also touch and hold a code on a web page or in email and select Add Verification Code. In Monterey, you can Control-click or right-click a QR code on a web page to add it. However, you can only add a verification code to an existing account, so be sure your kid created the account entry early in the process, as noted above. (You can read this column for a more detailed explanation of adding verification codes in iOS, iPadOS, and macOS.)
Your kid can now delete all remaining traces of you from their account or continue to have you in there as a “rescue email” or “trusted phone number” or the like if they want to have a backup for restoring account access in addition to options provided by the service.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com, including screen captures as appropriate and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.