For those ancient websites that rely on “something you know”, I record my nonsensical answers to security questions in my passenger manager.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Explains iOS 16.3's New Security Keys Feature
- Thread starter MacRumors
- Start date
- Sort by reaction score
Bleh, something else to carry around and forget, or worse get stolen. I've resigned myself to using a password manager protected by a very high entropy (over 100 bits), password that is mnemonically remembered.
Fair enough, but if you're going to use a password manager anyway, then you might as well store the password in there and be done with it. You'll never need to know the answer to that question.
Security keys aren't supposed to replace the password, but to complement it. They're the second factor.
Outstanding point for this discussion. And @Vlad Soare I have a similar strategy.
But I actually use the slight friction security keys introduce as a barrier. If sites don’t support security keys, I think hard about whether or not I really want to join the site. Then I usually back out.
I track which sites I use that support keys in my PM, and if they do, which keys I’ve added. That makes it simple to revisit sites should I get a new key.
Yeah I totally get it and see the added benefit. But I've worked hard to ditch everything but my phone from my pockets, heck some days I ditch everything but my Apple Watch. I can see forgetting and/or losing one of these really easily. I suppose they would be really useful if I was tortured and gave up my password, but didn't have my key on me.
But sometimes answers to the security questions ARE the second factor, not just for account recovery.
I use the Yubikey 5c and 5NFC.
Also take a look at the OnlyKey which is a pretty interesting device with a fairly steep learning curve.
That depends. I'm active on several forums, most of which (including MacRumors) don't accept security keys, though about half of them do support TOTP codes - which I'd say are good enough. If a site doesn't support any 2FA whatsoever, then indeed, I will think twice about registering, though in most cases I will probably decide that the amount of knowledge I could gain from it is worth the trade-off. I'll just use a unique strong password and hope for the best. If that site gets hacked, I'll lose nothing.
Me too. I keep a secure note in my Keychain for that.
That's absolutely pointless. The whole point of 2FA is two add something you have (e.g. phone, laptop, Yubikey, whatever) to something you know (i.e. password). Using something you know as a second factor is a stupid idea. It's just like having one password which you are asked to split in half and to enter each half separately.
Whoever designs a website like that should quit working in IT and take up carpentry instead.
Of course, if you come across a website that's set up like that, then you have no other choice but to generate two strong passwords, one of which will be the password per se, and the other one the answer to the so-called "security" question, then to store both in your password manager. Frankly, in this case I would strongly consider whether that site is really worth registering on. I think this design would be an even stronger deterrent for me than the lack of support for physical keys is for you.
Last edited:
That's fair. In that case TOTP codes from an authenticator app residing on your phone may be a good enough alternative. Push notifications are even better, but sadly not many websites support them.
This isn't about being tortured. If you are tortured by the FBI to give up your PIN or password, then they won't need to use 2FA, since they'll have your phone, which is already logged in. Besides, by the time you give them your PIN after having taken a good beating, their colleagues will have already raided your house and found the Yubikey - assuming it wasn't with you to begin with.
We're not talking about movie scenarios. 2FA is meant to protect against attacks carried out remotely - especially (but not limited to) phishing. Of all the 2FA methods, physical keys are the most secure. They're immune to most, if not all, kinds of attack that a common person may conceivably be subjected to.
As for losing it, sure, it does indeed require a bit of care. And you must have at least two of them, one of which should be stored in a safe place, separated from the other. Yes, it's a bit of a faff, but I think it's worth it. Do you always have your wallet with you? Are you confident you're not going to lose it? Then keep the Yubikey in it. Or, do you always have your car keys with you, and are you confident you aren't going to lose them? If yes, then put the Yubikey on the same keychain. Or, if even that isn't applicable, then just leave it in a safe place at home. Unless you're logging in to your iCloud account on a completely new device, you won't need it. You don't need constant access to it all day long.
Last edited:
That depends. I'm active on several forums, most of which (including MacRumors) don't accept security keys, though about half of them do support TOTP codes - which I'd say are good enough. If a site doesn't support any 2FA whatsoever, then indeed, I will think twice about registering, though in most cases I will probably decide that the amount of knowledge I could gain from it is worth the trade-off. I'll just use a unique strong password and hope for the best. If that site gets hacked, I'll lose nothing.
Me too. I keep a secure note in my Keychain for that.
That's absolutely pointless. The whole point of 2FA is two add something you have (e.g. phone, laptop, Yubikey, whatever) to something you know (i.e. password). Using something you know as a second factor is a stupid idea. It's just like having one password which you are asked to split in half and to enter each half separately.
Whoever designs a website like that should quit working in IT and take up carpentry instead.
Of course, if you come across a website that's set up like that, then you have no other choice but to generate two strong passwords, one of which will be the password per se, and the other one the answer to the so-called "security" question, then to store both in your password manager. Frankly, in this case I would strongly consider whether that site is really worth registering on. I think this design would be an even stronger deterrent for me than the lack of support for physical keys is for you.
Unfortunately, you don’t get to chose which sites you are required to interact with in all cases.
And many of the sites which should have the best security often don’t. I’m looking at financial institutions, travel industry, utilities, etc.
You might call them second passwords, but security questions are totally valid for 2FA, which is
* something you know
* something you have
* something you are
Do I like them? No. Do I use them? Only when I absolutely must.
As for registering on a site just to gain access to content? Nope.
Security questions are something you know. So is the password. So those two put together are practically 1FA.
What do you mean? Why else did you register on MacRumors, if not to get access to content?
I, for one, think that the amount of knowledge I've gained from this forum during the past four years or so since I joined was totally worth it. So much so that I would have stayed here even if no 2FA method had been offered.
I have a total of 5 Yubikeys in differing form factors.
I've used these now for several years, ever since Google introduced their advanced protection capability. I use them on every site where they are supported and love them.
Google used Yubikeys sucessfully to prevent ALL account takeovers on their accounts for several years now. I figure Google is a much bigger target than my Labradoodle photos in iCloud so I'm confident it is pretty good.
Even with all that, I only really need to use these keys when I'm logging into a site from a new device or browser. I rarely need them in day to day life. I think some people here are talking about "another thing to lose / carry etc" are losing sight of the fact you don't need them every time you pick up your phone.
- Yubikey 5C (the USB C one with NFC). This is on a titanium ball chain (like a dog tag chain) that is always around my neck (except in the shower).
- Yubikey Nano (the USB-C one) is plugged into my thunderbolt hub at home.
- Yubikey 5 NFC (the USB-A one) in a safe at home
- Yubikey 5CI (USB-C + Lightning) in a different safe at home
- Spare Yubikey 5NFC (the USB-A one) sits in a safe at my Parent's house.
I've used these now for several years, ever since Google introduced their advanced protection capability. I use them on every site where they are supported and love them.
Google used Yubikeys sucessfully to prevent ALL account takeovers on their accounts for several years now. I figure Google is a much bigger target than my Labradoodle photos in iCloud so I'm confident it is pretty good.
Even with all that, I only really need to use these keys when I'm logging into a site from a new device or browser. I rarely need them in day to day life. I think some people here are talking about "another thing to lose / carry etc" are losing sight of the fact you don't need them every time you pick up your phone.
You've hit on a pet peeve. I'm a United Frequent flyer of the highest order (Global Services). Which means that the points & benefits in my account are quite valuable. All it takes for someone to obtain my username is to either get my email, or find a boarding pass I may have dropped (which has my frequent flyer number on it).
United's "second factor" is to ask one of three categories of insanely dumb questions, with each question only having about a dozen or so possible answers in a dropdown.
When I call the airline to make changes to my reservation, they ask me "What is your favorite summer sporting activity" ... I'd be willing to bet that 99% of their high-mileage frequent flyers will choose the GOLF option from their dropdown. This is so incredibly stupid it drives me nuts.
Meanwhile, my bank only uses SMS as a second factor... which we all know has been widely exploited with Sim swap attacks. Hell, I'd settle for Google Authenticator as an option for both places.
The icing on the cake is many sites that DO allow you to use Google Authenticator or Yubikeys as a 2nd factor don't allow you to disable the SMS. Many require you to set up SMS before you can add others, then don't let you remove it. Meaning the weakest link in the chain is STILL sms. I think Apple's approach of auto-disabling other methods once you've loaded 2 keys is pretty good.
Until you get caught logging into a site from a new device or browser and realize you left your key at home. It happens more often than you think, new hardware, re-installation of software, using a different computer, etc. Sure maybe not every day, but it does matter that particular day you get caught with no key.
I'm definitely not trying to denigrate these keys, I definitely see the benefit. I'm just more comfortable with a super high entropy password and an authentication app/2FA.
About Security Keys for Apple Account - Apple Support
Physical security keys provide extra protection for your Apple Account against phishing attacks.
There is a new Apple support doc that makes some specific key recommendations.
Simple. -may not make sense to someone else but does to you. Perhaps you use the same question(s) and answer(s) across sites?
You are really making this harder than it needs to be.
...which is, of course, rule no. 1 in the best security practices manual, isn't it? 😁
Sure, you can justify it all you want and find whatever workarounds may happen to work for you, but the fact remains that it's nothing more than a convenience thing that does absolutely nothing to enhance security and a lot to weaken it.
To each his own. I travel for a living and simply always have mine around my neck. Phone, wallet, yubikey is just part of my routine before I leave the door.
Call them what you will, but the point is that is not how they are referred to.
I joined MacRumors in 2005 and continue to use and enjoy the site to this day.
Nowadays I am very selective over the sites that I join whether or not they provide 2FA, although the LACK of 2FA seriously dissuades me.
I was just going to share that. Thank you.About Security Keys for Apple Account - Apple Support
Physical security keys provide extra protection for your Apple Account against phishing attacks.support.apple.com
There is a new Apple support doc that makes some specific key recommendations.
I found the document very well written for a technical subject. I highly recommend it if you are just getting your head around the operational details of security keys.
Waving to you from over here, as a tippy top tier butt-in-seat flyer at the OTHER partner alliance with an absurd balance of miles. It’s the same story there. The lack of protection on these highly valuable accounts is ridiculous. Hotel rewards are absolutely no different.
As for the multiple 2FA methods issue, I couldn’t agree more. I understand some may want to have multiple methods enabled, but it should at least be an option to disable those you don’t need or feel comfortable with.
I have one bank that only offers security questions. Their website is a generic financial one for small credit unions that looks like it is out of 1999. I have another (major US bank) that generously lets you buy an RSA device from them for your account, but not disable other 2FA methods. When I log in, I have my choice of RSA device, email, SMS, or a phone call. Absurd.
I’d love to see Apple require the security key to change the Apple password on a trusted device.
As far as I can see, this does nothing to stop someone either spying on a passcode or password or threatening for the passcode and obtaining the device. Since it’s a trusted device, then you can turn off security keys, disable data protection etc.
Security keys have a purpose, but the weakest point remains the passcode or Mac password as far as I can see?
As soon as that passcode is compromised, the attacker could basically stop a user from accessing their data, photos, keychain forever, and also stop Apple from also accessing it with exactly the same tools designed to protect the customer.
Am I missing something here?
As far as I can see, this does nothing to stop someone either spying on a passcode or password or threatening for the passcode and obtaining the device. Since it’s a trusted device, then you can turn off security keys, disable data protection etc.
Security keys have a purpose, but the weakest point remains the passcode or Mac password as far as I can see?
As soon as that passcode is compromised, the attacker could basically stop a user from accessing their data, photos, keychain forever, and also stop Apple from also accessing it with exactly the same tools designed to protect the customer.
Am I missing something here?
I believe security keys ARE required to change your password, even from a trusted device, although I don’t know this from direct experience. I’ll try it in a moment.
But sure, if someone gets a hold of a trusted device they can wreak havoc, first off by disabling keys. I haven’t tried removing security keys but presume it would require your password, not just device passcode.
The security keys DO prevent someone from taking a stolen password and enabling a new trusted device on your account.