[falcolas]

Urm, if you have the ability to log in with a password to a website, you require the plain text password. Keychain also prompts for your user password before allowing plaintext access, not just the fact you're logged in.

Not sure what else is expected in this case, you'd get the same behavior from most other password managers.

[RGS1811]

Keychain doesn't prompt for your user password on iOS. Just your unlock code. That's what bothers me.

[nextstep]

But iOS won’t reveal the plaintext password from the keychain to the user (it will only autocomplete forms).

[lotsofpulp]

It will if you go to settings->accounts and passwords.

[hrktb]

you still get a password or touch if prompt before showing the passwords.

[lotsofpulp]

I assume RGS1811 was worried about someone using your finger for TouchID or face for FaceID, involuntarily. I also worry about that, especially if you get knocked out or black out or something, but I think the solution is to not have important login info in the keychain at all, such as access to money (bank apps), email, or other uses that can be used to verify your identity or steal from you.

[falcolas]

If that is a legitimate concern, then don't use Touch ID or Face ID. By using those a person is intentionally choosing convenience over security. By even saving passwords in an account-shared fashion (be it Keychain, LastPass, or 1Password), you're giving up some security for convenience.

The latest iOS versions have also included a "five clicks on the power button" emergency option, which disables both TouchID and FaceID. It's not perfect, but if you're going into a questionable situation, it's a good way to avoid being coerced into using those to unlock your phone.

[RGS1811]

What made me concerned was the discovery that, on an old iPad mini I rarely use (without touch id / face id), entering the standard four digit unlock code is enough to get access to the full list of logins/passwords stored by iCloud Keychain. I would like to have to at least re-enter my apple ID to get at this full list.

[jsjohnst]

Don’t use a basic unlock code then. I use an XKCD style passcode to unlock mine.