How to Protect Your Apple ID With Security Keys

[okkibs]

If your iPhone passcode compromised .... security keys are useless. They can be removed with phone password.

That is not entirely correct: Imagine an attacker gets access to the victim's iPhone and passcode, but they couldn't disable the tokens, which is what you want. Since you are logged into your Apple ID account on said iPhone, the attacker can access all your data, iCloud and local, wipe devices through Find My, and so on. This can always be done regardless of whether tokens are implemented Apple's way or your way.

However, I do admit that it will make account recovery much harder, if the tokens remained active you could always prove that you are the account owner. Apple's implementation turns your iPhone into another token.

This might make sense: Imagine you have the first token on your keychain or in your backpack or purse etc., and the second in a safe at home. You are at home and a fire breaks out and the only escape is through the window. The house including safe burns down. What are you most likely to have on you? Your iPhone, in your pocket.

So it would make sense that your passcode protected Apple devices remain as the final recovery possibility. Apple's threat model just doesn't seem to include attackers that know your passcode. Which seems fair to me, although it's obviously not how it works in the real world. However, attacks where the passcode is spied are not exactly common.

It would be best if Apple offered users a choice: Should the iPhone act as a token itself? Or should it behave the way you want it to? Personally, I'd certainly switch it over to how you'd prefer it as well. But I am sure many users will prefer Apple's way. That's my main issue with Apple, they only ever do it their way and you can take it or leave it.

Perfect way for people who don’t want family, relatives etc. to get into their devices after they passed on.

How so? If you die unexpectedly you probably didn't get a chance to wipe your keys. And if you did, you could just as well have wiped the devices instead of the keys.

 

[sk1ski1]

That is not entirely correct: Imagine an attacker gets access to the victim's iPhone and passcode, but they couldn't disable the tokens, which is what you want. Since you are logged into your Apple ID account on said iPhone, the attacker can access all your data, iCloud and local, wipe devices through Find My, and so on. This can always be done regardless of whether tokens are implemented Apple's way or your way.

Tokens ? You mean the security keys ? If someone has possession of your phone and your passcode, they can remove all the security keys and recovery keys/contacts from your Apple ID/iCloud account.

 

[Lioness~]

How so? If you die unexpectedly you probably didn't get a chance to wipe your keys. And if you did, you could just as well have wiped the devices instead of the keys.

Sure, unexpected death is always an issue 😆
Otherwise, the devices could be reused if the owner would delete it prior to death. If the owner don't want relatives to get into their devices they maybe are not so interested that they will use their devices either. So without the key they can't.
Just a speculation on my behalf though. But I've seen and heard a lot of variations how people leave this world.

 

[Xavier]

Reminds me of the iLok USB security device that I encountered when I worked in recording studios.

Not a fun day AT ALL when no one can find the damn thing.

Oh gosh, I hated the iLok device!

 

[Aston441]

Sounds like a place that doesnt take security seriously. Users crying over security need educating about the risk the security is mitigating and not just pandering to.

A place that had their ass handed to them in a lawsuit, who suddenly discovered the need to be able to access information immediately, to keep people from dying, RIGHT NOW, instead of ducking around and screaming “where’s the key!” was more important than “muh security.”

Yes someone died because it took too long to find the key.

The keys will never return.

Security THEATER, and that is what keys are, is stupid beyond measure. Large organizational IT is full of midwits who think they’re gods, who scoff at the petty concerns of the people on the ground who do real work. IT can go to hell.

 

[snak-atak]

Easy to bypass:

https://forums.macrumors.com/threads/stolen-iphone-criminals-have-full-control-and-apple-cannot-help.2388366/page-15?post=32142508#post-32142508

Marvin and Mike, thanks for setting me straight and providing this bit of extra knowledge.

I am going to shoot myself down. Screen Time is not the answer even with ID Recovery key set, and with "Recover screen time password with Apple ID" disabled. Though it does put some more obstacles in the thief’s path. Maybe some less knowledgeable thieves would be stopped. Some options to the sequence below put some delay in the Recovery process but the sequence below leads to instant break in.

I just went through these steps:

1. Screen Time settings > Change Screen Time passcode.
2. Click Forgot Passcode
3. Enter Apple ID email but not password…click forgot Apple ID password
4. This produces a screen asking for iPhone Passcode which thief has. Enter Passcode leads to screen to enter new Apple ID password.

Anyone can test these steps themselves ....no harm is done... you can cancel out ot the end before entering your new Apple ID password.

It amazes me that Apple would make it this easy to bypass since they have it set to lock down the device after 10 failed screen time pwd attempts. At least make them do the 10 attempts, make them wait at least an hour, or two, before offering to reset the password. That'll at least give me a fighting chance to lock it down myself if stolen.

I still plan to keep the extra screen time passcode in place even if it just slows down the thief, or prevents some less knowledgeable thief, as you say, from getting in. Every little bit helps.

 

[MacsRgr8]

I used to do that before there was Touch ID. Back then I didn’t have anything critical on the phone anyway. That’s less than ten years ago, I now realize. Touch ID was introduced in fall 2013. Different times.

This is what has intensified over the last 10 years or so...
Your mobile phone nowadays is made up of all the really critical things you need and care for so much.
From beloved pictures to banking accounts, all sorts of digital ID's, keychains... etc. etc. etc. it is getting scary... a passcode with "biometrics" as a "quick-access" is not good enough. Thief knows the passcode? You're in for a ride...

 

[okkibs]

Tokens ? You mean the security keys ?

Yes, keys and tokens are the same thing. Token is less ambiguous and that's how it is commonly called in IT sec.

If someone has possession of your phone and your passcode, they can remove all the security keys and recovery keys/contacts from your Apple ID/iCloud account.

Yes, but as long as they do not have possession of both your iPhone and passcode, the tokens still protect against various attacks such as trying to social engineer Apple support. Once they have access to the iPhone, they can access both your local iPhone and iCloud data regardless of the token status.

 

[sharpie000]

Geez. let's make this even more complicated. Passkeys, passwords, security keys, passcodes. When will it end?

 

[Jim Lahey]

This is the sort of thing that got people killed in Mr. Robot. I’m out.

 

[zilchfox]

Unfortunately there are HD security cameras all around us everyday. You never know if a camera is capturing you, and the operator of that camera is part of this theft ring. Cameras could capture anything you type in. Especially since you can't turn off the character preview when typing in an alphanumeric passcode on the Lock Screen. Apple shows an enlarged character above the keyboard for each alphanumeric character you type in. Making it even easier to snoop.

Right, hence covering your screen as I said. You never know who’s watching. Touch ID/Face ID is the best solution, so make sure it’s trained well.

 

[zorinlynx]

I despise those things. One job I had tried to implement them. Mass revolt amongst employees made management back off and they went away.

2FA using your phone and an app like Duo is just as secure and SOOOO much more convenient. These keys should only be used in situations where you can't use a smartphone to 2FA.

 

[marvin_h]

Right, hence covering your screen as I said. You never know who’s watching. Touch ID/Face ID is the best solution, so make sure it’s trained well.

This sounds like saying "Don't worry about your car not having seat belts. Just avoid crashing!" The whole point is to allow users the option of creating an effective next line of defense. You don't have to use your seatbelt. But it would be nice if Apple allowed those of us who want to use a different password for unlocking our screen and unlocking our KeyChain / Apple Pay etc.

2FA using your phone and an app like Duo is just as secure and SOOOO much more convenient. These keys should only be used in situations where you can't use a smartphone to 2FA.

Any 2FA that uses the phone itself (sms, email, app generated codes, etc) is compromised when the phone is compromised. Some people prefer the convenience of having the 2FA on their phone. It would be nice if there was also the option of having it on a separate device.

 

[bunty]

Perfect way for people who don’t want family, relatives etc. to get into their devices after they passed on.

How to add a Legacy Contact for your Apple ID​

How to add a Legacy Contact for your Apple Account - Apple Support

A Legacy Contact is someone you choose to have access to the data in your Apple Account after your death. Learn about the information that’s shared with your Legacy Contact and how to add one or more Legacy Contacts.

support.apple.com

(I'm not 100% how it works with a security key but it likely is a non-issue)

 

[Hank001]

Also, what ever happened to Johnny Appleseed? Was he fired? Headhunted by Google? Either way, hope he's doing ok.

Maybe he got superseeded(?)

 

[Hank001]

How Do Security Keys Work?

With a security key enabled, signing into an Apple ID requires entering your account's password and then using a security key to complete the two-factor authentication process, instead of the traditional six-digit verification code that is sent to another Apple device signed into the same account.

This is incorrect: the verification code is sent to the requesting device as well (thereby completely negating the 2FA design, but I digress)

 

[centauratlas]

I cannot tell you how many flash drives I have misplaced over the years, so I fear losing my security key and then I'm really screwed without anyone having to steal my device.

Am I missing something with this approach? How do the thieves bypass my second screen time pin without trying to crack the 4-digit pin? Is there a back door? I realize that it could take time to methodically run through the 10,000 combinations. Not the most secure I agree, but if it slows them down long enough for me to take action, then it's better than no security key and no password.

I'm just asking because I want to learn and know what I am up against.

Someone already answered this, but Apple needs additional steps to protect the AppleID. Some possibilities. Some/all could be optional:

1. 72 hour delay period before you are locked out - so you could back out of it from a different Apple Device, e.g. iPad.
2. Require FaceID/TouchID in addition to the password to reset it. And/or require the old password be entered to reset it.
3. Require confirmation on a different logged in Apple device, so it can't be done from the stolen device.
4. Sign phone out of iCloud for the paired iPhone from the Watch.
5. Or allow you to lock the paired phone from the Watch so that it needs a password AND confirmation from a different Apple device before they can do anything.

 

[Hank001]

^ post

You should write these articles at MR!

 

[FelixDerKater]

Add an NFC chip to the Mac. That would make these more appealing.

 

[8CoreWhore]

I do not even lock my phone as I always have it in my pocket.

You should look at it once and awhile.

 

[dk001]

Just what we need, another FOB for an Apple device.

 

[dk001]

Geez. let's make this even more complicated. Passkeys, passwords, security keys, passcodes. When will it end?

When Apple has you twisted in a number of different ways all tied to some kind of service that requires a subscription.

 

[cdsapplefan]

Someone already answered this, but Apple needs additional steps to protect the AppleID. Some possibilities. Some/all could be optional:

1. 72 hour delay period before you are locked out - so you could back out of it from a different Apple Device, e.g. iPad.
2. Require FaceID/TouchID in addition to the password to reset it. And/or require the old password be entered to reset it.
3. Require confirmation on a different logged in Apple device, so it can't be done from the stolen device.
4. Sign phone out of iCloud for the paired iPhone from the Watch.
5. Or allow you to lock the paired phone from the Watch so that it needs a password AND confirmation from a different Apple device before they can do anything.

Also add have to verify 3 security questions and 3 emergency contacts with there full name. No way the thief would be able to verify these. I like the 3-day wait period which provides the victim plenty of time to recover.

I would add I wouldn’t mind even using a physical yubi device to unlock my iPhone 📱 for ultra security. I don’t have a problem losing stuff and ai would keep a few spares in hidden places

 

[mantronic]

Also add have to verify 3 security questions and 3 emergency contacts with there full name. No way the thief would be able to verify these. I like the 3-day wait period which provides the victim plenty of time to recover.

I would add I wouldn’t mind even using a physical yubi device to unlock my iPhone 📱 for ultra security. I don’t have a problem losing stuff and ai would keep a few spares in hidden places

or use a Yubikey in order to change passcode or make changes on iCloud account

 

[dk001]

or use a Yubikey in order to change passcode or make changes on iCloud account

If you have to go through all of that for a smartphone, something is amiss in the design.