Good article and good to have support for security keys on iOS/macOS
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
How to Protect Your Apple ID With Security Keys
- Thread starter MacRumors
- Start date
- Sort by reaction score
Even moreso since you need at least two of them. There'll be a 4-pack for just $769. And you can have custom emojis engraved on them for free!
Unfortunately, it's not helpful against the kind of attack that's being discussed a lot lately, which is a mugging combined with a forced phone passcode reveal, i.e. armed identity theft. Really nothing (keys, screen time, recovery codes, whatever) is especially helpful against that at the current stage other than getting away from iCloud as much as possible and minimizing the amount of ways an attacker could hurt you if they controlled your phone (and by proxy your iCloud account). Assume if you get mugged that a competent thief now will lock you out ASAP and probably wipe all your associated devices remotely to slow you down. To me that means:
I get why Apple made the phone/passcode combo so powerful - normies were constantly harassing Apple Store employees after they forgot their iCloud passwords - but it's kinda BS that those of us who are more security-conscious are forced to have this unsolvable threat as a result. I was really hopeful that the security key update would let us lock down our accounts more. Maybe one day.
- Keep anything of value off the iCloud Keychain, including passkeys. I would even avoid having a third party password manager on your phone. Log in to things once and rely on FaceID as much as possible.
- Regular non-iCloud backups are a must
- Keep anything sensitive like email or banking off the phone unless it's protected by app-specific passwords. Try resetting your FaceID and seeing if your app logs you out or just accepts your new FaceID. Even better still is if you can log out of the apps and only unlock them with security keys that you only have in safe locations (i.e. not on your keychain).
- Probably avoid an Apple Card and that new savings account
- Maybe email the purchase records of your Apple devices to a trusted friend - Apple seems to care about that a lot
I get why Apple made the phone/passcode combo so powerful - normies were constantly harassing Apple Store employees after they forgot their iCloud passwords - but it's kinda BS that those of us who are more security-conscious are forced to have this unsolvable threat as a result. I was really hopeful that the security key update would let us lock down our accounts more. Maybe one day.
I used to do that before there was Touch ID. Back then I didn’t have anything critical on the phone anyway. That’s less than ten years ago, I now realize. Touch ID was introduced in fall 2013. Different times.
Exactly. This happened to me. A passcode you sometimes use on the street should never be the same code used to reset AppleId password. Just too easy to snoop. The screentime trick will help a bit, but as much as I can now I'm only leaving the house with Apple Watch + Cellular.
Very good tips. I will never use iCloud Keychain for this reason.
not to be confused with Google using the "Passkey" (which is developed with Google, Apple, and Microsoft) which is software based and resides on the Apple keychain for Macs and iOS devices.
arstechnica.com
Google passkeys are a no-brainer. You’ve turned them on, right?
The passkey ecosystem is far from complete, but Google’s implementation is now ready to use.
arstechnica.com
You might want get them in pairs of two, even if you take good care of it and never lose it, there is always a tiny chance of a malfunction or manufacturing defect wiping it out out of the blue. And all these security measures have the unfortunate side effect (though sometimes intended by the corporations) of making account security your responsibility. Going through account recovery can be an ordeal as, for example, some Google users (or ex users) can confirm.
And the whole point of the token's safety is that it can't be circumvented, so once you use hardware tokens you should really work with the assumption that you yourself need to make provisions for your own account recovery, which is what a secondary token would be meant for. And it's really good that Apple makes this mandatory, otherwise user's will inevitably shoot themselves in the foot.
iCloud - don't use anything beyond the basics, since an Apple account is required to purchase and install apps
Gmail - don't use it
MS Outlook - don't use it except for work where that's not supported
ProtonMail - don't use it
Facebook - don't use it
Twitter - don't use it
1Password - don't use it
Domain Registrars - not yet supported
Hosting Services - not yet supported
Ok then...
Yes, but it's completely optional. Most people will never buy a hardware token. You won't accidentally activate it, if you are using hardware tokens you'll have considered the pros and cons and went out of your way to set it up. At least this one's not being forced on users like 2FA is.
I think Apple's hardware token implementation is great, precisely because they themselves say they can't recover your account if you lose your tokens. That means attackers can't social engineer their way around account protections, which is my no 1 fear. Because I can't control it if a business' first level support employee gets tricked into revealing confidential account information. But if they themselves are locked out and only the token can unlock access, then this ups account safety tremendously.
Sounds like a place that doesnt take security seriously. Users crying over security need educating about the risk the security is mitigating and not just pandering to.
I love the concept. Keys should be hardware (at least these keys).
But for some reason I still do not trust it. I remain afraid of losing the key or having it hacked (by any impossible mean) or having it not functioning fo some obsolescence reason. It's probably just me, but I do not trust this yet.
But for some reason I still do not trust it. I remain afraid of losing the key or having it hacked (by any impossible mean) or having it not functioning fo some obsolescence reason. It's probably just me, but I do not trust this yet.
Indeed. Flash devices have a finite lifespan. That's just a fact of life.
I'm another veteran of iLok-style software keys, though in my case as a developer using them. Different brand, but same idea. It took a while, but I did eventually have one fail. Didn't matter to me as I had spares, but our customers didn't. We eventually eliminated them. Yubico et al. are in a different league from these types of keys, but they're still flash devices.
If you're following good backup practice, you should have at least three, one of which is at a different location.
This has nothing to do with passcodes. I don’t know why the article brings it up at the beginning.
I’ve had this set up ever since I received my YubiKey 5Cis’. I keep one on my car keys just in case, and one in a fireproof safe at home.
My experience overall has been pretty good, and rarely do I ever need to use them since I’m not signing in and out of devices constantly. I also have advanced data protection turned on, too. The only time I recently had to use the key was at work, when trying to sign into music.apple.com on my work computer, and it worked fine. Instead of a code being sent to all my devices, it just simply asks to insert a key. The notification sent to other devices will still let you know that a sign in attempt was done, but that’s it.
I’ve also started using my YubiKeys as my 2FA for every account I can think of, since you can set up the same keys for multiple accounts and services.
My experience overall has been pretty good, and rarely do I ever need to use them since I’m not signing in and out of devices constantly. I also have advanced data protection turned on, too. The only time I recently had to use the key was at work, when trying to sign into music.apple.com on my work computer, and it worked fine. Instead of a code being sent to all my devices, it just simply asks to insert a key. The notification sent to other devices will still let you know that a sign in attempt was done, but that’s it.
I’ve also started using my YubiKeys as my 2FA for every account I can think of, since you can set up the same keys for multiple accounts and services.
Attachments
Your phone passcode most likely won’t be compromised if you use Face ID in public, or have an alphanumeric passcode where they can’t see what you’re typing from afar. Always be careful in public and shield your device when needing to enter your passcode.
Just another way to be permanently locked out your Apple account. You need at least three of these keys, keeping one at home means two keys can be lost if you need to quickly flee your home. See computer backup strategies where at least one backup needs to be stored off site.
Tried to use it but two issues:
- You need 2 of them because apparently Apple can't provide a reset emergency code like everyone else.
- If you happen to have an old device like I have my 6S Plus as an audiobook device for the beach, you neither can use security keys nor can you encrypt your iCloud backup.
Well, there goes that
- You need 2 of them because apparently Apple can't provide a reset emergency code like everyone else.
- If you happen to have an old device like I have my 6S Plus as an audiobook device for the beach, you neither can use security keys nor can you encrypt your iCloud backup.
Well, there goes that
Perfect way for people who don’t want family, relatives etc. to get into their devices after they passed on.
Unfortunately there are HD security cameras all around us everyday. You never know if a camera is capturing you, and the operator of that camera is part of this theft ring. Cameras could capture anything you type in. Especially since you can't turn off the character preview when typing in an alphanumeric passcode on the Lock Screen. Apple shows an enlarged character above the keyboard for each alphanumeric character you type in. Making it even easier to snoop.
Last edited: