really? yubis are fairly reliable. the usb-c lightning combo isn't my first choice but the usb-c or usb-a ones are fairly solid.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
How to Protect Your Apple ID With Security Keys
- Thread starter MacRumors
- Start date
- Sort by reaction score
edit: well sure, your device is a trusted device. there has to be an allowance for usability.
Last edited:
I know you say it just reminds you but a comparison to iLok is pretty unfair. software needing hardware dongles in general have a negative connotation.
iLok was tied down to a specific app . I dealt with them to in large format printing (RIP). Security keys don't need to be used daily in order to protect your account.
The point isn’t that the thief can’t log-in if they know your passwords. It’s that they can’t change your AppleID account logins and lock you (the owner) out, even though they have access. The issues has been with thieves, after gaining access, locking the owner out of everything, causing the original account holder to loose access to potentially TBs of information-and they normally do this within minutes of gaining access to your device. So even though you realize you lost your phone 15 minutes ago, you are already forever locked out of everything. Preventing that account change is huge, and as some victims have said, they would pay thousands to regain access to the photos and files. And importantly, change the passwords and lock them out.
If accurate, this would be good, but the article states you can just remove them from the account by reversing the steps without need for them. Apple's web site agrees with the article. I haven't tried it to verify, but if the article is correct then it doesn't seem like it would protect the account since the thief would just remove the keys and you are screwed.
I hope you are correct though.
Last edited:
The security keys does not protect your Apple ID if someone has access to your phone and knows your passcode. They can reset your Apple ID password, remove any security keys, reset any recovery codes/contacts, and permanently lock you out of your Apple ID and iCloud account. All without needing the security keys you added to your account. Apple’s security design is very flawed.
I will look into this….but…
I would like to chose when I want to use it. I wouldn’t need to use this for homebased devices, but only when on the go with those devices for instance.
I would like to chose when I want to use it. I wouldn’t need to use this for homebased devices, but only when on the go with those devices for instance.
That's what I thought so the post I quoted wasn't correct, alas.
You are right that it is extremely flawed which was why I was hoping my understanding was wrong.
Last edited:
Was going to do it but only have one key i think is stupid that you need two lol
I use the poor man's method to secure my iCloud account and passwords by setting a separate 4-digit code via Screen Time. Even if someone steals my iPhone and even if they guess my password to unlock my phone, they still won't be able to delete/update my iCloud password and turn off Location Services. Hopefully, this will slow down the thief and give me time to locate my device or block it completely before more harm is done.
It's not perfect. They can still get into my financial and other apps on my phone but my Apple ID should remain secure... I hope I never have to test this in real life.
Here is how I set it up.
1. Open Screen Time
2. Enable Content & Privacy Restrictions (you will be required to enter a new passcode). Enter a passcode that you will remember but is different from the passcode that you use to unlock your phone.
3. Don't allow Location Services
4. I also blocked Passcode Changes and Account Changes.
When they try to disable any of these services, the option will be greyed out.
When someone (including myself) tries to undo this in Screen Time, I'll have to enter the passcode.
Feel free to try this out and let me know if you secure any other settings!
ADDENDUM:
I stand corrected. @marvin_h sent me the following link which outlines how easy it is to bypass.
Still, if it adds just one more roadblock, no matter how small, and costs me nothing more, I'll take it.
I hope I'll never have to put it to the test!
I appreciate all you guys! This forum is the best!
It's not perfect. They can still get into my financial and other apps on my phone but my Apple ID should remain secure... I hope I never have to test this in real life.
Here is how I set it up.
1. Open Screen Time
2. Enable Content & Privacy Restrictions (you will be required to enter a new passcode). Enter a passcode that you will remember but is different from the passcode that you use to unlock your phone.
3. Don't allow Location Services
4. I also blocked Passcode Changes and Account Changes.
When they try to disable any of these services, the option will be greyed out.
When someone (including myself) tries to undo this in Screen Time, I'll have to enter the passcode.
Feel free to try this out and let me know if you secure any other settings!
ADDENDUM:
I stand corrected. @marvin_h sent me the following link which outlines how easy it is to bypass.
Still, if it adds just one more roadblock, no matter how small, and costs me nothing more, I'll take it.
I hope I'll never have to put it to the test!
I appreciate all you guys! This forum is the best!
Last edited:
That workaround can be easily bypassed. The best it can do is temporarily slow down a thief.
I agree.
I mentioned it because I would be nervous about losing it. If you don't need it every day you might not keep track of it and be in a jam when you don't know where it is.
Maybe Apple should bundle these with an AirTag
.
Except that it doesn't secure them, it only slow them down slightly. Seconds to minutes if they are quick about it. So unfortunately it doesn't help much.
Unfortunately the security keys don't help either. Let's hope that they fix the design soon.
Cool, so how much is my Apple iKey Pro subscription going to cost?
I cannot tell you how many flash drives I have misplaced over the years, so I fear losing my security key and then I'm really screwed without anyone having to steal my device.
Am I missing something with this approach? How do the thieves bypass my second screen time pin without trying to crack the 4-digit pin? Is there a back door? I realize that it could take time to methodically run through the 10,000 combinations. Not the most secure I agree, but if it slows them down long enough for me to take action, then it's better than no security key and no password.
I'm just asking because I want to learn and know what I am up against.
As it has been noted, the keys primary just protect anyone from adding new devices or remotely logging into your Apple device without a securitykey.
This may not seem like much of a raising the bar for security, but don't be deceived, it is actually protects your from a remote attack very well- something that you had to depend in the past by only password/2FA by another apple device. And that is why Apple want you to have at least two keys, if you lose them even Apple can not get you back in to your AppleID.
So it is true also, that it does not protect an existing devices (like iPhone/Mac), if the can logon to it to change the applied settings. So control access to your phone and protect the passcode like a crown jewell. Or more mundane, just like your car keys or house keys.
Final thought, security is always a trade-off for raising the bar very high vs just to much work/hassle and you bypass the enhanced securityor worst, just never implement it. For example, you have to enter a 30 character password. Unless you have a password manager, you just write it down and post it under the keyboard or worst on the top of the screen. It does happen.
I think Apple implementation is reasonable for most users. Also, the same HW key can be used for enhanced security on other sites/apps that truly do demand a hardware security key for any logon- like Fastmail or Portonmail.
This may not seem like much of a raising the bar for security, but don't be deceived, it is actually protects your from a remote attack very well- something that you had to depend in the past by only password/2FA by another apple device. And that is why Apple want you to have at least two keys, if you lose them even Apple can not get you back in to your AppleID.
So it is true also, that it does not protect an existing devices (like iPhone/Mac), if the can logon to it to change the applied settings. So control access to your phone and protect the passcode like a crown jewell. Or more mundane, just like your car keys or house keys.
Final thought, security is always a trade-off for raising the bar very high vs just to much work/hassle and you bypass the enhanced securityor worst, just never implement it. For example, you have to enter a 30 character password. Unless you have a password manager, you just write it down and post it under the keyboard or worst on the top of the screen. It does happen.
I think Apple implementation is reasonable for most users. Also, the same HW key can be used for enhanced security on other sites/apps that truly do demand a hardware security key for any logon- like Fastmail or Portonmail.
So, the second one — "You can't sign in to older devices that can't be updated to a software version that supports security keys" — means your older devices simply won't be able to log in to your Apple ID anymore, even if they were previously linked to it?
Yes this is for me the biggest problem. If you have older devices not able to be updated to latest OS with security key feature, they are basically unusable.
Another device to lose, break, or just refuses to work when it's desperately needed. After you’ve locked yourself out of your device and get with Apple Genius to restore it, bring original receipt of purchase, two forms of I.D., proof of residence, and your neighbors cat in order to get Apple to restore your device back to usability. Otherwise it's a brick!
I use YubiKey’s for everything for the last 2 years. I even has stopped using 2FA TOTP recently only if U2F (YubiKey) is available.
U2F is a must for mayor services like:
iCloud
Gmail
MS Outlook
ProtonMail
Facebook
Twitter
1Password
Domain Registrars
Hosting Services
U2F is a must for mayor services like:
iCloud
Gmail
MS Outlook
ProtonMail
1Password
Domain Registrars
Hosting Services