Password managers are designed around the idea that after you fully authenticate with your something-you-know credential, then they'll mostly trust that you're "still there" for a certain period of time, requiring only a something-you-are factor for re-authentication while the something-you-know credential remains cached in memory. This "safety interval" usually ticks down more slowly while the device remains active (because continuous use implies "you" didn't wander off such that someone else could slip in), and more quickly while the device is idle/locked.
When the "safety interval" expires, or if you fully shut off the device, or if you manually trigger a "something unusual is happening" mode (https://www.idownloadblog.com/2017/08/21/how-to-disable-touc...), then the password manager will lose this cached "already mostly satisfied" state, and so will require you to present the "actual" something-you-know credential again.
> Mac Keychain for example is "unlocked" at login unless you change that.
That's because you just fully authenticated it by providing your master password (which for the macOS local keychain is your local account's login password, which you had to present in order to unlock the FDE disk at startup.) In fact, ignoring FDE, this is what "logging in" means on macOS: decrypting the local-account keychain.
You'll notice that this doesn't apply to your iCloud keychain, since that doesn't use the same password as your local account, and so you didn't present that keychain's unlock password when you signed in.
Interestingly, this also doesn't apply if you set your FDE unlock password to be different than your local account sign-in password. The FDE unlock password will do some magic that gets you logged into your account; but you will end up in your account with your local-account keychain still locked — which will cause a lot of annoying prompts on login. (I ran macOS like this for a while back in ~2013, because I wanted a really secure boot passphrase, but didn't want to have to type it every time I locked the screen, and TouchID didn't exist yet on Macs. Wasn't worth it.)
> iPhone Keychain will input passwords from just FaceID, no passcode prompt
Again, that's because you signed into your phone with a password recently-enough to make it satisfied with you; and this safety interval is much wider on a phone than on a PC, because people keep phones "securely" with them, rather than e.g. letting them sit turned-on and unguarded at work when they go home for the day.
You'll find that companies that have confidentiality requirements, deploy MDM policies for employees' mobile devices which make this safety interval much shorter — if they even allow it at all. (I worked for IBM Canada, and my phone would force a password unlock after being locked for just 30 seconds.)
> Desktop Chrome and Firefox just autofill passwords no questions asked.
This is true, and because of this, security people do not consider these browser "autofill" features to be "password managers." Don't use them! They don't encrypt your passwords at rest, either! Viruses can steal your passwords right out of these autofill databases, and many modern viruses do do that!
(I would note that Chrome does prompt you for your [local-account login] password in order to be able to browse your autofill passwords — which is at least something. But this is just security theatre; you can still read the passwords right off the disk without knowing your login password.)
> That's because you just fully authenticated it by providing your master password (which for the macOS local keychain is your local account's login password, which you had to present in order to unlock the FDE disk at startup.)
I booted my laptop maybe several months ago and unlocked the screen with TouchID at the moment.
> Interestingly, this also doesn't apply if you set your FDE unlock password to be different than your local account sign-in password. The FDE unlock password will do some magic that gets you logged into your account; but you will end up in your account with your local-account keychain still locked — which will cause a lot of annoying prompts on login.
Haha, I've been there by accident before. Or before FDE was a thing, having a different keychain vs login password because of some migration gone wrong.
> Again, that's because you signed into your phone with a password recently-enough to make it satisfied with you
Not sure about this. Usually I use FaceID. Does that ever expire and need the passcode? I don't think it does; the only times it asks iirc is when I fail the FaceID auth repeatedly (it doesn't like my second pair of glasses).
> This is true, and because of this, security people do not consider these browser "autofill" features to be "password managers." Don't use them!
Yeah, it's jank, but people do use them. Personally I use Safari for important stuff just because I want Keychain instead, but otherwise, your only option is dealing with a third-party password manager.
By default, clicking the power/side button 5 (not 10) times starts a countdown to dial emergency services. If you don’t cancel the countdown, it calls emergency services for you. Either way, biometric unlock is disabled until you re-enter your passcode/PIN. This can be disabled in settings.
Holding the power/side button and either volume button for a couple of seconds (just pressing them together and letting go creates a screenshot) presents a menu allowing you to power the phone off, display your medical ID, or call emergency services. You can also configure settings to have this action do the countdown as described above instead. Either way, biometric unlock is disabled until you re-enter your passcode/PIN.
Either option is pretty easy to do unnoticed with your phone in your pocket.
When the "safety interval" expires, or if you fully shut off the device, or if you manually trigger a "something unusual is happening" mode (https://www.idownloadblog.com/2017/08/21/how-to-disable-touc...), then the password manager will lose this cached "already mostly satisfied" state, and so will require you to present the "actual" something-you-know credential again.
> Mac Keychain for example is "unlocked" at login unless you change that.
That's because you just fully authenticated it by providing your master password (which for the macOS local keychain is your local account's login password, which you had to present in order to unlock the FDE disk at startup.) In fact, ignoring FDE, this is what "logging in" means on macOS: decrypting the local-account keychain.
You'll notice that this doesn't apply to your iCloud keychain, since that doesn't use the same password as your local account, and so you didn't present that keychain's unlock password when you signed in.
Interestingly, this also doesn't apply if you set your FDE unlock password to be different than your local account sign-in password. The FDE unlock password will do some magic that gets you logged into your account; but you will end up in your account with your local-account keychain still locked — which will cause a lot of annoying prompts on login. (I ran macOS like this for a while back in ~2013, because I wanted a really secure boot passphrase, but didn't want to have to type it every time I locked the screen, and TouchID didn't exist yet on Macs. Wasn't worth it.)
> iPhone Keychain will input passwords from just FaceID, no passcode prompt
Again, that's because you signed into your phone with a password recently-enough to make it satisfied with you; and this safety interval is much wider on a phone than on a PC, because people keep phones "securely" with them, rather than e.g. letting them sit turned-on and unguarded at work when they go home for the day.
You'll find that companies that have confidentiality requirements, deploy MDM policies for employees' mobile devices which make this safety interval much shorter — if they even allow it at all. (I worked for IBM Canada, and my phone would force a password unlock after being locked for just 30 seconds.)
> Desktop Chrome and Firefox just autofill passwords no questions asked.
This is true, and because of this, security people do not consider these browser "autofill" features to be "password managers." Don't use them! They don't encrypt your passwords at rest, either! Viruses can steal your passwords right out of these autofill databases, and many modern viruses do do that!
(I would note that Chrome does prompt you for your [local-account login] password in order to be able to browse your autofill passwords — which is at least something. But this is just security theatre; you can still read the passwords right off the disk without knowing your login password.)