macOS Ventura Security and Privacy Guide
The new OS for your Mac has arrived! Here’s our roundup of the most important macOS 13 Ventura security and privacy features, grouped by category:
System
At the macOS system level, there are a couple of important changes to know about:
System Preferences becomes System Settings
Your trusty System Preferences app will become System Settings in macOS Ventura.
Apple says that this is more than just a name change: System Settings will feature an updated design and easier navigation. So why does this matter for security? Because it means that users will have an easier time configuring their Mac to meet their unique security needs.
According to Apple, the System Settings sidebar will allow users to move through “more spacious” settings panes “without having to drill into and out of views.” In addition, System Settings will include a search field that lets you locate macOS settings options quickly and easily (search results pop up in the sidebar). This should be helpful to users who may be tempted to give up if they can’t find the security or privacy setting they need.
A more active Gatekeeper
In macOS Ventura, Gatekeeper will perform code signing checks every time an app is run — instead of at first launch as in the past.
This is good news for users, because it will help prevent bad actors from tampering with apps after installation.
Apple’s automated app security tools have been found to have vulnerabilities in the past, so users shouldn’t let their guard down, but this is nonetheless a welcome development for macOS platform security.
A (somewhat) improved anti-malware suite
Apple is also improving its native anti-malware suite, with improvements to XProtect and a new malware removal tool that’s being called XProtect Remediator.
We discuss the changes in detail in “Apple is updating XProtect and MRT. Is it enough?”
The good news is that Apple is taking malware on macOS more seriously than ever before. However, Mac users still need to exercise vigilance.
For one thing, Apple’s approach to its malware tools is somewhat “secretive,” as security researchers like Howard Oakley have pointed out. On his blog, Oakley described a recent issue in which a user’s version of XProtect Remediator failed to update automatically — leaving the user with out-of-date malware protection and no warning that the software needed to be updated. And on a macro level, Mac malware is continuing to grow in prevalence and sophistication, which raises questions about Apple’s ability to keep pace with the bad guys on its own.
Security
In terms of security changes in macOS Ventura, there are a few that bear mentioning:
Passkeys
This is a big one — with passkeys, Apple makes it possible for you to sign into websites on your Mac without a password.
From a user experience perspective, it’s not going to be much different than signing in using a password manager. You’ll just sign in using Touch ID instead.
But underneath the hood, passkeys actually represent a much more secure approach to logins. For a detailed explanation, and instructions on how to create a passkey, read “How Do Apple’s Passkeys Work?”
Strong password editing
Starting in macOS Ventura, you’ll be able to create strong passwords in Safari (not new) and then edit them to meet site-specific requirements (new!).
This is important because some websites, for whatever reason, have decided that they don’t want to accept passwords with special characters; or that they only want passwords that begin with a certain number; etc.
This puts users in a tricky position, because human beings are notoriously bad at making the kind of random, complex passwords needed to thwart password cracking.
Strong password editing lets you use Keychain to generate a truly strong password, and then edit it ever so slightly to meet a website’s specifications.
To find the feature, look for Other Options… when you’re setting up an account. If you click that, you’ll see the options for Edit Strong Password or No Special Characters, both of which do exactly what they sound like they do.
Rapid Security Response
In macOS Ventura, Apple will give users the option to receive security patches automatically — between standard updates and without needing to restart their Mac.
The feature is called Rapid Security Response, and is already available in iOS 16.
For most users, enabling Rapid Security Response will be the right choice, because it prevents gaps in coverage between the disclosure of a vulnerability and Apple issuing an official security patch.
The option for Rapid Security Response on a Mac should be available in the same place as all the other controls for automatic updates: at System Settings > Software Update.
BIMI in Mail
BIMI stands for “Brand Indicators for Message Identification.” It sounds more complex than it really is. Basically, all BIMI is is a little verified brand logo that appears next to the sender’s name in your email inbox.
It’s a useful security feature, because many phishing attacks are based on brand impersonation (e.g., someone pretending to be PayPal and claiming there’s an “issue” with your account).
BIMI has been supported for some time on cloud email platforms like Gmail. And starting in macOS Ventura, Apple’s Mail app will support BIMI as well!
Privacy
macOS Ventura also introduces a couple of nice privacy enhancements:
A privacy-friendly alternative to CAPTCHAs
CAPTCHAs are those ubiquitous Turing tests that we all have to take online to prove that we’re human. They’re a bit annoying, but they’re important to preventing fraud and bot activity, so we all live with them.
Unfortunately, CAPTCHAs can pose a privacy risk to users, as Apple pointed out in a WWDC22 developer session:
In order to determine if a client is trusted and can get an easier CAPTCHA, servers often rely on tracking or fingerprinting clients by using their IP address.
Starting in macOS Ventura, Apple is introducing support for Private Access Tokens, which will perform the same function as CAPTCHAs, but automatically:
These tokens use RSA Blind Signatures to cryptographically sign the fact that a client was able to pass an attestation check. These signatures are “unlinkable”, which means that servers that receive tokens can only check that they are valid, but they cannot discover client identities or recognize clients over time.
The upshot is that websites will be able to use Private Access Tokens to determine whether or not a request is coming from a human—no tracking and no need for anyone to complete a CAPTCHA. That’s more convenient for users and better for their privacy!
Lock Hidden and Recently Deleted albums in Photos
In macOS Ventura, as on iOS 16, the Hidden and Recently Deleted albums in Photos will be locked by default. No more having to worry about someone using your Mac and stumbling across private photos that you’d deleted or hidden!
These locked albums are unlocked with your device’s authentication method, which on a Mac means either your login password or Touch ID.
Learning More
macOS Ventura builds on the strong foundation established by Apple over the past two or three major OS versions.
To learn more about the security and privacy enhancements introduced in recent versions of macOS, check out:
