iOS 16.3 and macOS Ventura 13.2 Betas Add Support for Physical Apple ID Security Keys

[RamGuy]

It was a breeze adding my two Yubikey 5 NFC security keys. I have one model with USB-A and one with USB-C. Enjoy the added security this adds. My Apple ID is protecting so many critical things in my life at this point, so this added barrier of having to authenticate with a physical security key when logging in on unrecognised devices is a great addition.

I still can't enable Enhanced Data Protection for whatever reason. It doesn't seem like this feature is available in Norway yet.

 

[Rigby]

I'd wait for a USB-C iPhone before even thinking about doing this.

The NFC Yubikeys work just fine with the iPhone (and are more convenient). But iPads with Lightning port are a problem since iPads don't have NFC.

 

[krakenrelease]

I welcome this but at the same time feel like its worth waiting on buying a couple yubi keys until the iPhone migrates to USB C. No need to deal with special iPhone specific keys with a connector that's being phased out when you could just buy some that work on all your devices.

They also have NFC. But it's been hit or miss for me with Yubikey 5c. Probably my key chain I have it in blocks part of the signal. Wish I would have got the 5ci instead (usb c + lightning combo)

 

[Rigby]

They also have NFC. But it's been hit or miss for me with Yubikey 5c. Probably my key chain I have it in blocks part of the signal. Wish I would have got the 5ci instead (usb c + lightning combo)

The key (no pun intended) is to hold it to the right spot on the phone. For my 13 Mini I hold it against the top back edge and it works every time.

 

[Mr. Heckles]

I'd wait for a USB-C iPhone before even thinking about doing this.

Why? You can use NFC also.

 

[6787872]

apple's 2fa is the worst i've ever seen. code + requiring trusted prompt is absurd

 

[stefanski]

I welcome this but at the same time feel like its worth waiting on buying a couple yubi keys until the iPhone migrates to USB C. No need to deal with special iPhone specific keys with a connector that's being phased out when you could just buy some that work on all your devices.

Or you buy a Yubi Key with NFC. Then you don't need any ports. Been using mine for all my Google things and it works flawlessly.

 

[Apple_Robert]

I never used one. What happens when the dongle gets lost or damaged? You lose access to the account or files forever?

Unless you have an alternate option set up, you will be locked out.

 

[killawat]

Can't wait! I'll sure thing jump in!
Any reputable brands to recommend for the key itself?

yubikey 5

 

[ralphthemagi]

I never used one. What happens when the dongle gets lost or damaged? You lose access to the account or files forever?

It depends on the implementation. If the data is encrypted, then yes. If the account is not fully encrypted then it may still be technically possible to reset 2FA.

Most services let you add between two and five security keys, so you can have backups.

With Google Advanced Protection you can set your account to Security Key only. An account reset is still possible, they just make it very difficult.

It's not clear how, exactly, Apple plans to implement this. Currently whether or not account credentials are recoverable depends on whether or not you have Recovery Key set. When you set a Recovery Key it encrypts your account with that key—no 2FA reset is possible if all devices are lost AND the Recovery Key is lost.

 

[Apple_Robert]

Can't wait! I'll sure thing jump in!
Any reputable brands to recommend for the key itself?

Yubico is good. I suggest setting up 2 keys in case 1 is lost or damaged.

 

[Surf Monkey]

It might be nice if Apple would fix HomeKit and the TV App in 16 before moving on to adding more features…

 

[killawat]

It was a breeze adding my two Yubikey 5 NFC security keys.

You heard it here first folks worlds first HW protected iCloud account haha. I'd join you but am not on the beta program ATM.

 

[killawat]

Wish I would have got the 5ci instead (usb c + lightning combo)

5ci doesn't have NFC (although I know you are having trouble with it). Imo the nfc ones are more versatile.

 

[killawat]

I never used one. What happens when the dongle gets lost or damaged? You lose access to the account or files forever?

usually you'll have more than one authenticator setup so just login using the second one. also, this protects logons to the iCloud account from new devices, so existing devices would continue to work fine. you can always add or remove from an existing device.

 

[InuNacho]

Maybe I'm dumb but hasn't the use of physical security nubs been an industry standard for over 30 years?
Why has it taken Apple the security company years to do this?

 

[riverfreak]

I just saw on the Yubi site they seem to have one that is lightning on one end and USB C on the other?

Neat.

The Yubikey 5ci’s are terrible. I’ve had four of them and every single one has broken with just light use — not even on a keychain. They remained functional for a little while but three of the four are now completely dead. Avoid.

The 5Cs (USB-C only) are much more durable.

 

[ralphthemagi]

Maybe I'm dumb but hasn't the use of physical security nubs been an industry standard for over 30 years?
Why has it taken Apple the security company years to do this?

Not the way it's currently implemented. A universal standard for physical security keys, based on truly solid public/private key encryption is relatively new. Before Yubikey there was no standardized solution for average consumers.

There are tons of security fobs out there with broken and worthless encryption. Your average security fob that you might use for building access can be cracked in seconds.

 

[riverfreak]

It was a breeze adding my two Yubikey 5 NFC security keys. I have one model with USB-A and one with USB-C. Enjoy the added security this adds. My Apple ID is protecting so many critical things in my life at this point, so this added barrier of having to authenticate with a physical security key when logging in on unrecognised devices is a great addition.

I still can't enable Enhanced Data Protection for whatever reason. It doesn't seem like this feature is available in Norway yet.

Do you have the option to disable other 2FA methods and ONLY rely on security keys?

 

[compwiz1202]

apple's 2fa is the worst i've ever seen. code + requiring trusted prompt is absurd

Yes others I use just require you to tap Yes or Approve without a code after.

 

[d.cav]

I’m not going to be able to test this myself for a while, does anyone know if NFC-only keys are supported? Ie, if you try to log in on Mac or iPad or web, will scanning the NFC on your iPhone work? The key I’m thinking about is an implanted microchip with FIDO capabilities so simply does not support USB. I hope it will work like approving a sign in on your computer with the MS Authenticator app on your iPhone.

 

[DailySlow]

Can't come soon enough. Does anyone actually enjoy getting 6 digit SMS messages?

Actually, hapoy to have them right now. They CAN be a bit awkward but essential.

 

[DailySlow]

Can't wait! I'll sure thing jump in!
Any reputable brands to recommend for the key itself?

Apple has an entire studio in Cupertino hard at work developing the tech AND a plan for creating the dongles - Apple branded. I say $99. Keychain ring kit $22.95 on Amazon.

 

[DailySlow]

It was a breeze adding my two Yubikey 5 NFC security keys. I have one model with USB-A and one with USB-C. Enjoy the added security this adds. My Apple ID is protecting so many critical things in my life at this point, so this added barrier of having to authenticate with a physical security key when logging in on unrecognised devices is a great addition.

I still can't enable Enhanced Data Protection for whatever reason. It doesn't seem like this feature is available in Norway yet.

I wonder, since EDP is not available on my spare 5SE phone stuck forever in iOS 15 land - but with NFC - this would be very nice and may let me enable EDP on it. Of course it’s lightning only and newer gear (iPad Mini 6 and MacBook AIR ) have USB C. The beat goes on.

 

[coolfactor]

Can't come soon enough. Does anyone actually enjoy getting 6 digit SMS messages?

For the few sites still sending SMS codes, Messages and Safari handle them really well. The code is detected and provided for auto-fill instantly without even leaving the browser.