Apple's Best AI Feature Is Not Siri

June 21, 2026

I watched the WWDC 2026 keynote the same way most people did: waiting for the Siri section, sitting through the photo editing demos, nodding at the translation features. The stuff Apple spent forty minutes on. Then, buried in a two-minute segment about Safari and Passwords, Beth Dakin mentioned that the Passwords app can now automatically fix weak and compromised logins with a single tap. No prompting. No back-and-forth with a chatbot. The AI opens Safari, signs into each site, generates a new password, saves it to iCloud Keychain, and moves on. That is the most impressive agentic feature Apple has shipped, and almost nobody is talking about it.

Passwords app simulator

Security

6 accounts need attention

github.com

Leaked2FA: authenticator

Queued

reddit.com

Reused

Queued

spotify.com

Reused2FA: sms

Queued

linkedin.com

Weak2FA: email

Queued

twitter.com

Leaked2FA: sms

Queued

notion.so

Weak2FA: authenticator

Queued

Tap Fix Passwords to watch the agent work through each account. Accounts with authenticator-app 2FA fail in the beta.

What Actually Shipped

The Passwords app has flagged weak, reused, and compromised credentials since it launched in iOS 18. That part is not new. What changed in iOS 27 is the action layer. Before, every red warning label was a todo item: open the site, find the password settings page, authenticate, type a new password twice, confirm, save. If you had fifty flagged accounts, that was fifty separate chores spread across fifty different website layouts.

Now you open the Security tab, tap Fix Passwords, and an agentic AI handles eligible accounts in sequence. Apple Intelligence and Safari navigate each site, sign in with your saved credentials, upgrade the password, and write the new one back to iCloud Keychain. A Live Activity shows progress: Signing in, Saving strong password, Security upgraded. You can cancel midway. The whole thing runs in the background while you do something else.

Why This Is Harder Than Siri

Siri answering a question is a single inference call with a text response. Changing a password on a random website is a multi-step web automation task where every site is different. Some use a settings page buried three menus deep. Some send a confirmation email before the change takes effect. Some require CAPTCHAs. Some have password rules that reject autogenerated strings. Apple is not calling an API here. They are doing computer use: navigating real DOM trees on real websites with a fixed foundation model running on-device and on Private Cloud Compute.

That is a fundamentally different problem from generating a poem or summarizing an email. It requires the model to understand form fields, button labels, error states, and multi-page flows. And it has to do this reliably enough that users trust it with their credentials. Google has offered a similar one-tap compromised password change in Chrome since 2021, but Apple's version goes further by batching weak, reused, and leaked passwords together rather than handling them one at a time.

Manual vs one tap

Pick a workflow to simulate fixing 6 flagged accounts

Where It Breaks

The agent is only as good as the second factor you use. Before starting, iOS asks for temporary permission to read one-time verification codes from Messages or Mail. That covers SMS and email OTP flows. It does not cover authenticator apps. If your GitHub account uses Google Authenticator or Authy, the agent signs in, hits the TOTP prompt, has nothing to read, and fails. Same for passkeys, which require a user gesture and device-bound keys the agent cannot invoke.

2FA compatibility

✓

Agent can auto-fix

SMS code accounts

Agent requests temporary access to Messages, reads the OTP, and completes the flow.

// Agent access for SMS code

safari.navigate(site)

keychain.read(credentials)

messages.readOTP() // temporary grant

keychain.write(newPassword)

This is the same class of problem I wrote about in my piece on broken 2FA implementations, but from the other direction. Your choice of second factor does not just affect login reliability. It now determines whether an automated security tool can help you at all. If you use an authenticator app everywhere, the Fix Passwords button will skip half your accounts and leave you doing manual changes anyway.

Why Siri Is Not It

The Siri redesign got the keynote treatment. New personality, on-screen awareness, richer contextual responses, deeper app integrations. It is genuinely better than the Siri of two years ago. But better Siri is still a conversation. You ask, it responds, you ask again. The Passwords agent is different because it completes a task you would otherwise procrastinate on for months.

There is a useful distinction between agentic AI that adds capability and agentic AI that removes friction. Siri adding screen awareness is the first kind. Passwords auto-fixing forty leaked logins while you make coffee is the second. The second kind is rarer, harder to build, and actually changes behavior. Most people know they should rotate compromised passwords. Almost nobody does it manually for every account. Removing that friction is worth more than a smarter chatbot.

Bounded agent vs open-ended agent

// Open-ended: high capability, low reliability
siri.respond(anything_the_user_says)
  → infinite input space
  → hard to verify output
  → user must evaluate every response

// Bounded: narrow scope, high reliability
passwords.fix(account)
  → known input (saved credentials + site URL)
  → verifiable output (password changed + saved to Keychain)
  → user evaluates one outcome, not every step

The Part Nobody Is Covering

There is an enterprise angle here that consumer coverage is ignoring. The same one-tap convenience that helps a regular user clean up personal logins could be a problem on a company phone with work credentials saved in Passwords. An employee taps Fix Passwords and the agent starts rotating accounts on services the company IT team manages, with no MDM kill switch visible in the beta and no clear audit trail of what changed. For regulated industries that is not a feature. That is a compliance incident waiting for a help desk ticket.

Apple will probably ship an MDM control before the public release in September. They usually do for features like this. But the fact that it was not mentioned at launch tells you where Apple's head is at: this is a consumer convenience feature first, an enterprise consideration second.

What Good Agentic AI Looks Like

Every company is racing to slap "agentic" on their product pages. Most of it is a chatbot with tool access and a marketing budget. The Passwords feature is a useful reference point for what actually works: a narrow task, a verifiable outcome, explicit user consent before anything runs, and a clear scope of what the agent can and cannot access. It fails predictably on authenticator 2FA rather than silently doing the wrong thing. That is more than you can say for most AI features shipping this year.

iOS 27 ships to everyone in September. The developer beta is available now if you want to test it on eligible hardware. Try the Fix Passwords flow on your own flagged accounts and count how many fail on 2FA alone. That number will tell you more about the state of agentic AI than any Siri demo.