I see. That's helpful information. If I were to ever use a security key, I think I'd primarily use it with my AppleID / iCloud account. Does Apple provide these recovery codes once a security key is added?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Explains iOS 16.3's New Security Keys Feature
- Thread starter MacRumors
- Start date
- Sort by reaction score
I have heard of Yubikey and my institution uses it, although I've never worked in a department that requires it. That said, what other security keys are reputable to consider for a largely Mac / iPhone / iPad user?
I was looking at Yubikey's offerings and it has a model that can connect by NFC and USB-C which fits what I would be looking for -- 1 key that has the required connections for any of my Apple items.
I was looking at Yubikey's offerings and it has a model that can connect by NFC and USB-C which fits what I would be looking for -- 1 key that has the required connections for any of my Apple items.
Not automatically. You can generate a recovery key for your iCloud account at any time, independently of the security key feature.
It is required for the advanced data protection, though. When you activate that you will have to generate a recovery key first (or to set up a recovery contact).
I think this is bizarre. "Security Keys" like this have been around for decades. But using them for accessing your account and touting them as a "password replacement" as I've seen stated goes against the message for years:
Use the iPhone as a device to unlock the door to your house. No physical key needed. Use the iPhone to get in to and start your car, no physical key needed. Use the iPhone to get in to your hotel room, no physical key needed. Physical keys are just not needed anymore! But wait! To get in to your iPhone, you need a physical key! (I know - the iCloud account doesn't require login frequently - just making a point)
Use the iPhone as a device to unlock the door to your house. No physical key needed. Use the iPhone to get in to and start your car, no physical key needed. Use the iPhone to get in to your hotel room, no physical key needed. Physical keys are just not needed anymore! But wait! To get in to your iPhone, you need a physical key! (I know - the iCloud account doesn't require login frequently - just making a point)
Ah yes, I do have those recovery codes. So this means even if I now newly add a security key to my account authentication, if I lose that key, I can use those recovery code (generated prior to adding the security key) to recover/log in to my account? Interesting.
This whole plethora of ways to access and recover accounts (key vs. no key, etc.) is really confusing and a whole lotta mumble jumble
even from my viewpoint of someone who is somewhat of a tech geek. I can't imagine how confusing this would be to the average person and what a world of black box all of this is.
So how would you use these to sign into an Apple TV? Or do you still need use SMS codes?
Come to think of it, if you set up these keys, can SMS be disabled?
Edit: Never mind, Apple support document covered it.
Come to think of it, if you set up these keys, can SMS be disabled?
Edit: Never mind, Apple support document covered it.
Last edited:
The Apple support document mentions the keys replace the six digit codes (I'm assuming SMS codes and codes from other Apple devices). Does this mean it's not possible to sign into iCloud for Windows period?
Yes, that's how I understand it.
In real life, though, several accidents should happen simultaneously in order to get to a point where you need to resort to the recovery key. You'd have to lose both physical keys, plus all of your already logged-on devices. Unless you do something really stupid, this is extremely unlikely to happen.
As long as you have at least one device that's already logged in to your account, you can use it to remove the missing key and to add another one, or even to remove both keys and revert to the good old six-digit code.
The most likely scenario where a recovery code would be needed is if you forget your Apple ID password. You'll need the code to reset the password even if you have a security key (I'm not sure if you can skip the recovery code if you can produce two physical keys, but my guess would be no).
Last edited:
You're absolutely right. My thoughts exactly. I've been an IT geek since the early Nineties, and still find it a bit difficult to get my head around these things.This whole plethora of ways to access and recover accounts (key vs. no key, etc.) is really confusing and a whole lotta mumble jumble
Glad to see that Apple isn’t wasting any time rolling out their new security features.
The way the support document reads to me the answer is yes. With that said, I enabled Security Keys on my Apple ID this morning. During the process you have the option to log out devices or not. I chose not to log out any of my signed in devices and it looks like my one iCloud for Windows device is still working. I expect until there is an iCloud for Windows update released that new sign in attempts on Windows will fail.
For those considering using the Security Keys functionality and the recommendation to treat one as a "backup" key, here is what I posted back when this was first announced by Apple:
Very good points.
I have three Yubikeys, which I try to treat as equals, though not all services will allow that. For instance, Microsoft accounts only allow two physical keys, while PayPal only allows one. So one of them will always have to be more equal than the others.
But whenever I can register all three of them, I do.
Last edited:
As a tech professional and masters in cyber-security, if anything it's far far worst than most realize. Password leaks are a constant occurrence, and people use the same passwords (if not easy derivatives). 2FA can be compromised easily. It's as easy as a google search (how to bypass 2FA).
In a way, this moves it closer to 3FA, although Apple does ties the passwords with facial ID. You can't just pick from the same categories to make it 3FA, so slightly misleading. Even 4FA is not uncommon. Simply incorporate a possession, location, bio-metric, and knowledge factor.
Just because you have nothing to hide, others might. Personal communications, private photos, tax forms, etc.
Speaking of security and 2FA, 3FA, whatever, it boggles my mind that some websites still use so-called "security questions" as a means of resetting your password in case you forget it. This is the stupidest thing ever invented in the history of computers. It has absolutely nothing to do with security, and everything to do with sparing their tech support the trouble of dealing with forgetful users. How on Earth can anybody in their right mind think that resetting a password merely by answering a question like, "what's your mother's middle name", or "which primary school did you attend", which is more or less public information, can contribute in any way to security?
I never, ever, under any circumstances, activate this option on any website I log on to. And if one of them happens to impose it (because I've seen such cases, where you cannot continue until you pick a question and an answer), then I will type a completely unrelated answer, which doesn't make any sense, or simply strike the keyboard randomly a few times.
I never, ever, under any circumstances, activate this option on any website I log on to. And if one of them happens to impose it (because I've seen such cases, where you cannot continue until you pick a question and an answer), then I will type a completely unrelated answer, which doesn't make any sense, or simply strike the keyboard randomly a few times.
Last edited:
Right - should be. But with the security key idea, you need a physical key to unlock a physical key? Point being there are many things that can be done to help identify if someone is who they say they are. Location is one. If you normally log in at location X and do so then within 15 minutes your ID is logging in 10 hours away, chances are that's not you. That's one example of many.
Well - it is much faster enabling end users to help themselves than call in to a help desk for assistance. So yes, it is to help spare tech support from wasting time helping people when there are other options and allow them to help with real technical issues. Passwords have been something the end users come up with on their own. They are a pain when you do them right with different ones for different sites) which is a reason for secure password storage options (1Password, eWallet, etc.)
The security questions are a great idea in theory. Should you ever answer them "truthfully"? or the same across web sites? Nope. And no one said you had to. You don't really want them to make sense or be "related" that's the point.
Sure it is much faster. But also a lot less secure.
Well, in that case how are they supposed to help? If you can't remember your password, then how will you remember an answer that doesn't make sense? If the question was, say, "what was the name of your first dog", and instead of "Snappy" you answered (wrongly) "John", then will you be able to remember this random answer two years later, if you can't even remember a password?
I'd wager that the overwhelming majority of regular, non-tech-savy, users pick a simple question and give a correct answer. And they live happily thereafter thinking that their account is secure, when in fact this couldn't be further from the truth.
Last edited:
Hmmmm.
Variable, based on my experience. The 5c is bomber. The casing on the 5cis is brittle and cracks easily, and eventually the key fails. Worth pointing out that the 5ci doesn’t work well on a keychain.
I don’t keep my keys on a keychain. They are on loop of paracord and secured inside my bag.