Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
59,206
23,126


Apple this week shared a support document with details about its new Security Keys for Apple ID feature, available starting with iOS 16.3, iPadOS 16.3, and macOS 13.2. The document provides an overview of the feature and explains how to use it.

Apple-advanced-security-Security-Keys_screen-Feature-crop.jpg

Apple says the optional security feature is designed for individuals who want "extra protection from targeted attacks, such as phishing or social engineering scams." When it is enabled, signing into an Apple ID requires entering your account's password and then using a FIDO Certified security key to complete two-factor authentication, instead of a traditional six-digit verification code from another Apple device.

Those who enable the feature must be very careful not to lose their security keys, as this could result in losing access to your Apple ID account permanently. For this reason, you must set up at least two security keys, with up to six supported in total.

Apple recommends keeping security keys in more than one place. For example, you could hide a key somewhere at home as a backup solution.

"Keep your security keys in a safe place, and consider keeping a security key in more than one place," the document says. "For example, keep one key at home and one key at work. If you're traveling, you might want to leave one of your security keys at home."

To enable Security Keys for Apple ID on an iPhone or iPad, open the Settings app, tap your name, tap "Password & Security," select "Add Security Keys" and follow the on-screen instructions. On the Mac, open the System Settings app, click on your name, click "Password & Security," click "Add" next to "Security Keys," and follow the steps.

Security keys can be removed at any time by repeating the steps outlined above and tapping or clicking on "Remove All Security Keys," at which point your Apple ID reverts to using a six-digit verification code for two-factor authentication.

Many security keys look similar to a USB thumb drive, with some options available with NFC for wireless use and others equipped with Lightning, USB-C, and/or USB-A ports for direct connectivity with iPhones, iPads, and Macs. Apple recommends a few security keys in the document, such as the YubiKey 5Ci with both Lightning and USB-C.

Apple's document provides some other important details, so it is worth reviewing before enabling the feature. For example, you can't sign in to iCloud for Windows when the feature is enabled, and some types of Apple ID accounts are not supported.

Article Link: Apple Explains iOS 16.3's New Security Keys Feature
 
  • Love
Reactions: SFjohn

krspkbl

macrumors 65816
Jul 20, 2012
1,094
2,128
I bought 2x Yubico Keys for this. Well, not just Apple but my other accounts too obviously. I've been thinking of getting a key for a while but now Apple supports it I might as well jump on it now.

I got the Yubico 5 NFC key. Won't arrive for a couple days but excited to set it up. I'll have a read over the document to familiarise myself with how to set it up. Unfortunatly most people won't care about security keys so I am one of the few who see this is as the biggest feature of 16.3!

Requiring 2x keys will put a lot of people off, I think. I spent almost £100 on the 2 keys. Other accounts allow you to set them up with just 1. I think it's good that Apple requires 2 keys to set it up. If you don't want to spend £100 on security then might as well not bother using a key at all.
 

tomnavratil

macrumors 6502a
Oct 2, 2013
800
1,218
Great addition to the macOS and iOS ecosystem. MFA for most services (unless they are not essential) is pretty much a must these days. SMS 2FA is unfortunately quite weak and can be easily spoofed so utilizing OTP via an authenticator app or using a physical device should be preferred. In case you are not a fan of a physical device, check Ravio OTP, which offers more compared to Google Authenticator and others.
 
  • Like
Reactions: opiapr

nt5672

macrumors 68030
Jun 30, 2007
2,719
5,748
Midwest USA
Knowing how poorly Apple does services I don't expect to be able to trust this for a couple of years.

When I say trust, I mean be able to maintain the verification service without locking me out permanently. Or allowing me to change keys, or delete keys, etc.
 
Last edited:

BenGoren

macrumors regular
Jun 10, 2021
201
595
“For example, you could hide a key somewhere at home as a backup solution.”

No; please don’t do this. You’ll just forget where you put it

“ … and one key at work.”

*PLEASE* don’t do this! Whoever owns the company can trivially steal your account if you do so. Even if you’re the person who owns the company, whoever cleans your office could steal your account.

You should have a secure place at home to keep important documents. At the very least, a drawer of a filing cabinet, but a small fireproof safe is preferable. You can decide the level of security you need, all the way up to a personal bank vault — but don’t rely on obscurity to keep it secure. Keep the backup there.

And it’s a good idea to have a safe deposit box at a bank. Keep the other backup there.

If you really need more than those two backups, then add more safe deposit boxes at different banks, or a locked fireproof safe at a trusted family member’s home, or some other variation on the theme. But you almost certainly don’t need nor want that many backups.

Incidentally, these are also where you should be keeping portable hard drives with backups of whatever data you most care about.

b&
 

krspkbl

macrumors 65816
Jul 20, 2012
1,094
2,128
Urgh, so iPad doesn't have NFC? And i got 2 usb-a keys. There is no point buying a USB-C key just for iPad because I need USB-A for my PC.

I don't know how this is going to work.

Edit: looks like i'll need to use an adapter for my iPad :rolleyes:
 
  • Haha
Reactions: SqlInjection

ajf.350d

macrumors member
Nov 23, 2010
93
41
Worcestershire, UK
If Apple would kindly put NFC in iPads and Macs as well this would be even better, and quicker to use.
Not sure why it isn’t.

Regards keeping one at work, ‘they’ would still need to know the actual account username and password, so fairly low risk, and for most people the most obvious/easiest off site option.
Advantage of course if you work in IT and have access to a media safe 😉
 

krspkbl

macrumors 65816
Jul 20, 2012
1,094
2,128
If Apple would kindly put NFC in iPads and Macs as well this would be even better, and quicker to use.
Not sure why it isn’t.

Regards keeping one at work, ‘they’ would still need to know the actual account username and password, so fairly low risk, and for most people the most obvious/easiest off site option.
Advantage of course if you work in IT and have access to a media safe 😉
I assumed iPad Pro had NFC but nope. I'll need to use a USB-A to C adapter for my iPad.
 

lpolarityl

macrumors 6502a
Dec 1, 2009
504
309
Ohio
Knowing how poorly Apple does services I don't expect to be able to trust this for a couple of years.

When I say trust, I mean be able to maintain the verification service without locking me out permanently. Or allowing me to change keys, or delete keys, etc.
They do a good job if you’re in the ecosystem on more than one device. The only real issue is users forgetting to remove devices from their iCloud / Find My accounts when they sell devices, which isn’t Apple’s fault or problem. This is the one area with their security measures that sticks out as a problem for some users, which is entirely avoidable.

Adding an additional authentication option is nice (and appreciated), knowing Apple it should be easy to setup and integrate (same for developers as well).
 

xbjllb

macrumors 65816
Jan 4, 2008
1,256
171
Two-factor authentication is enough major PITA. I don't work for the NSA, so major pass.

Anyone else want a phone dongle?

Wonder how long it will be before a future iOS update turns it on by default.

Here's a scenario; some of the ppl using these things will be dealing with nuclear emergencies and will lose their dongle and backup dongle or have them appropriated for espionage. Doesn't anyone at Apple ever think of worst-case scenarios?

I know. Corporate culture.
 

krspkbl

macrumors 65816
Jul 20, 2012
1,094
2,128
Decided to just cancel my order for the Yubico keys. Seems like way too much hassle. I am trying to read up on it but I'm confused and I can't be annoyed having to find an adapter any time I want to sign into something on my iPad.

Why do iPads not have NFC Apple???
 

krspkbl

macrumors 65816
Jul 20, 2012
1,094
2,128
Two-factor authentication is enough major PITA. I don't work for the NSA, so major pass.

Anyone else want a phone dongle?

Wonder how long it will be before a future iOS update turns it on by default.

Here's a scenario; some of the ppl using these things will be dealing with nuclear emergencies and will lose their dongle and backup dongle. Doesn't anyone at Apple ever think of worst-case scenarios?

I know. Corporate culture.
You already need 2FA enabled on your Apple account for things like Airtags, iCloud Keychain, Find my iPhone, Apple Card/Cash, and Sign in with Apple.

I don't think they'll force people to use physical keys but they'll keep pushing 2FA. As it is I don't mind having 2FA enabled as it makes my account secure.
 

BenGoren

macrumors regular
Jun 10, 2021
201
595
Regards keeping one at work, ‘they’ would still need to know the actual account username and password, so fairly low risk, and for most people the most obvious/easiest off site option.
Advantage of course if you work in IT and have access to a media safe 😉

Oh, you’re so sweet.

Since this is on company property, “they” would just log into your work account where your certainly have your personal email set up (because you trust them with your security key), and do a password reset with your security key. Or, if necessary, they’ll put a hidden camera behind your desk and record your personal passphrase as you type it.

And you would almost certainly have no legal recourse. It’s their computer to do with as they wish, and they’ll have “reasonable” suspicions that you’re engaging in corporate espionage or the like. You have no expectation of privacy at work, especially from your boss.

Again: no; please don’t do this.

b&
 

Orionfox

macrumors member
Apr 20, 2020
74
68
As someone who loves tech and likes to learn as much as I can, I just can't help to think this security stuff is just way overblown for MOST home users.Maybe it my days of supporting old windows (while being a Mac user since 80s) I just don't keep important stuff on my main drive or not on removable drive (or now in say Apple's Cloud)

Maybe I am too old, but I am just tired of having to jump through so many hoops just to log into a website on a new platform (or reimaged system). Had to visit HR to have them reset my account because I changed my phone number and there is no other way for 2 factor on their websites - just to see schedule or view paycheck stubs.

There is a reason I still love my iPhone with a fingerprint reader! Now if Safari / OS could just actually keep my passwords correctly (had been great but lately many sites just claim my password is wrong despite no changes)
 
  • Disagree
  • Haha
Reactions: burgman and opiapr

iStorm

macrumors 6502a
Sep 18, 2012
932
1,235
How does this work with apps on non-Apple devices? For example, signing into the Apple TV or Music app on a smart TV or Roku? I assume you would have to sign-in/activate it through your iPhone or iPad, and not be able to sign in directly on the device?
 
Last edited:

NightFox

macrumors 68040
May 10, 2005
3,039
4,037
Shropshire, UK
Oh, you’re so sweet.

Since this is on company property, “they” would just log into your work account where your certainly have your personal email set up (because you trust them with your security key), and do a password reset with your security key. Or, if necessary, they’ll put a hidden camera behind your desk and record your personal passphrase as you type it.

And you would almost certainly have no legal recourse. It’s their computer to do with as they wish, and they’ll have “reasonable” suspicions that you’re engaging in corporate espionage or the like. You have no expectation of privacy at work, especially from your boss.

Again: no; please don’t do this.

b&
Seriously dude, you need to change jobs.
 
  • Like
Reactions: gusmula and bkaus

sumisu3

macrumors newbie
Feb 4, 2007
8
87


Apple this week shared a support document with details about its new Security Keys for Apple ID feature, available starting with iOS 16.3, iPadOS 16.3, and macOS 13.2. The document provides an overview of the feature and explains how to use it.

Apple-advanced-security-Security-Keys_screen-Feature-crop.jpg

Apple says the optional security feature is designed for individuals who want "extra protection from targeted attacks, such as phishing or social engineering scams." When it is enabled, signing into an Apple ID requires entering your account's password and then using a FIDO Certified security key to complete two-factor authentication, instead of a traditional six-digit verification code from another Apple device.

Those who enable the feature must be very careful not to lose their security keys, as this could result in losing access to your Apple ID account permanently. For this reason, you must set up at least two security keys, with up to six supported in total.

Apple recommends keeping security keys in more than one place. For example, you could hide a key somewhere at home as a backup solution.

"Keep your security keys in a safe place, and consider keeping a security key in more than one place," the document says. "For example, keep one key at home and one key at work. If you're traveling, you might want to leave one of your security keys at home."

To enable Security Keys for Apple ID on an iPhone or iPad, open the Settings app, tap your name, tap "Password & Security," select "Add Security Keys" and follow the on-screen instructions. On the Mac, open the System Settings app, click on your name, click "Password & Security," click "Add" next to "Security Keys," and follow the steps.

Security keys can be removed at any time by repeating the steps outlined above and tapping or clicking on "Remove All Security Keys," at which point your Apple ID reverts to using a six-digit verification code for two-factor authentication.

Many security keys look similar to a USB thumb drive, with some options available with NFC for wireless use and others equipped with Lightning, USB-C, and/or USB-A ports for direct connectivity with iPhones, iPads, and Macs. Apple recommends a few security keys in the document, such as the YubiKey 5Ci with both Lightning and USB-C.

Apple's document provides some other important details, so it is worth reviewing before enabling the feature. For example, you can't sign in to iCloud for Windows when the feature is enabled, and some types of Apple ID accounts are not supported.

Article Link: Apple Explains iOS 16.3's New Security Keys Feature
It is great the Apple is adding support for HW security keys - and making it simple. Two keys are important as we all know sometimes HW breaks/fails. But given the recent way layoffs in Tech have been handled I don’t suppose keeping your backup key at the office is the best idea.
 

krspkbl

macrumors 65816
Jul 20, 2012
1,094
2,128
How does this work with apps on non-Apple devices? For example, signing into the Apple TV or Music app on a smart TV or Roku? I assume you would have to sign-in/activate it through your iPhone or iPad?
I thought Apple TV/Music already let you scan a code or go to a site in Safari on your iPhone/iPad to log in? If you have a key then you'd need to do that.
 

ajf.350d

macrumors member
Nov 23, 2010
93
41
Worcestershire, UK
Oh, you’re so sweet.

Since this is on company property, “they” would just log into your work account where your certainly have your personal email set up (because you trust them with your security key), and do a password reset with your security key. Or, if necessary, they’ll put a hidden camera behind your desk and record your personal passphrase as you type it.

And you would almost certainly have no legal recourse. It’s their computer to do with as they wish, and they’ll have “reasonable” suspicions that you’re engaging in corporate espionage or the like. You have no expectation of privacy at work, especially from your boss.

Again: no; please don’t do this.

b&
Not really sweet, just not paranoid.
Far enough if you work somewhere where you feel like this.
Anyway, just because I would leave a key on site doesn’t mean I would leave accounts logged in etc.
Maybe a small risk, but like anything, do an assessment of pros and cons.

Different ideas I guess.
 

krspkbl

macrumors 65816
Jul 20, 2012
1,094
2,128
I really wanted a key but I can't think of the best way to do it. Either way I need an adapter.

I was going to buy 2x USB-A keys but since iPad doesn't have NFC i'd need to use an adapter any time I wanted to sign into something on iPad. I got USB-A because my PC is mostly those ports. There is a USB-C port but it's awkward to reach (I have a mid tower PC) and I struggle enough plugging in an ethernet cable or a USB-A port. I mostly use my front panel ports.

Best thing I can think of is buying 2x USB-C keys and a USB-A to C adapter and leave it plugged into my PC front panel at all times. But that's more expensive. It was already a tough pill to swallow spending £96 on 2x USB-A keys (cancelled that order) and I don't want to spend £139 for 2x USB-C keys and an adapter.

I'll just stick to using codes in Bitwarden.
 

peregrinIV

macrumors newbie
Oct 2, 2019
6
0


Apple this week shared a support document with details about its new Security Keys for Apple ID feature, available starting with iOS 16.3, iPadOS 16.3, and macOS 13.2. The document provides an overview of the feature and explains how to use it.

Apple-advanced-security-Security-Keys_screen-Feature-crop.jpg

Apple says the optional security feature is designed for individuals who want "extra protection from targeted attacks, such as phishing or social engineering scams." When it is enabled, signing into an Apple ID requires entering your account's password and then using a FIDO Certified security key to complete two-factor authentication, instead of a traditional six-digit verification code from another Apple device.

Those who enable the feature must be very careful not to lose their security keys, as this could result in losing access to your Apple ID account permanently. For this reason, you must set up at least two security keys, with up to six supported in total.

Apple recommends keeping security keys in more than one place. For example, you could hide a key somewhere at home as a backup solution.

"Keep your security keys in a safe place, and consider keeping a security key in more than one place," the document says. "For example, keep one key at home and one key at work. If you're traveling, you might want to leave one of your security keys at home."

To enable Security Keys for Apple ID on an iPhone or iPad, open the Settings app, tap your name, tap "Password & Security," select "Add Security Keys" and follow the on-screen instructions. On the Mac, open the System Settings app, click on your name, click "Password & Security," click "Add" next to "Security Keys," and follow the steps.

Security keys can be removed at any time by repeating the steps outlined above and tapping or clicking on "Remove All Security Keys," at which point your Apple ID reverts to using a six-digit verification code for two-factor authentication.

Many security keys look similar to a USB thumb drive, with some options available with NFC for wireless use and others equipped with Lightning, USB-C, and/or USB-A ports for direct connectivity with iPhones, iPads, and Macs. Apple recommends a few security keys in the document, such as the YubiKey 5Ci with both Lightning and USB-C.

Apple's document provides some other important details, so it is worth reviewing before enabling the feature. For example, you can't sign in to iCloud for Windows when the feature is enabled, and some types of Apple ID accounts are not supported.

Article Link: Apple Explains iOS 16.3's New Security Keys Feature
So I think this is a poorly thought through disaster. I have been a long time user of yubikeys and while they are great in my office where they either stay plugged in or are easy to hand( I have 3 and by the way you have to setup each yubikey for all accounts 2 keys + 10 accounts = 20 individual setups ugh!). It becomes a major pain in the behind when on the road. Digging to find where you put it or even if you remembered it. All current yubi keys orgs I use always have bail out option if you do not have it with you or worse you forgot the FIDO password you set with the yubikey you have if they require it(imagine not having used that key in a long time) Apple asks for the Apple ID a lot in my experience and this is just a prescription for disaster for regular folks when the lock out is permanent. Locking out old devices due to non-support is even worse. So Apple please please please open a bail out option for now, do not curse the yubi key( a very good security tool) because you made poor choices to start, and give us by device choice rather than all in or all out.
 
  • Like
Reactions: cjgrif
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.