You should setup more than one if it is your only way in. Yubikey allows for this.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iOS 16.3 and macOS Ventura 13.2 Betas Add Support for Physical Apple ID Security Keys
- Thread starter MacRumors
- Start date
- Sort by reaction score
Yubi Keys also support RFID/NFC and have been working with iPhones for a few years now.
SMS option is not horribly insecure as it takes a high amount of effort to abuse this vector.
It’s only launched for US based accounts, rest of us get it sometime in early 2023.
I hope not, bit rather take priorities.
what if the physical key is lost Or damaged?
permanently lock yourself out of account?
I hope they give the option then. The security keys are useless because sms is a horrible and insecure way for 2FA and a back up.
You should have your back up key in a safe spot for this type of emergency.
A backup key should also be with you, or at least within reach. What if you travel and only carry one key and that key is lost? You would not really lose access to your account immediately id assume but it would be pretty bad.
The main purpose of security is always restricting access to everyone else who is not supposed to have access, and maintain unrestricted access to the right entity. Failing that purpose, then the security system has failed.
We will see how Apple implement this in due time.
Many MANY sites still rely on SMS based 2FA. Hardly obsolete.
Worse yet, most of these use short codes and can’t be used with VoIP
It’s not Yubikey that allows it, it’s the individual sites.
For example, when Twitter added hardware token support, they only allowed a single key to be registered. Most sites now allow you to register multiple keys, at least one of which you should save some place secure.
I use the SMS messages all the time. Besides, I had a nightmare scenario a while back with Apple's previously-awful 2FA system (before SMS fallback) where I was unable to get into my account because the "trusted" Apple device on the account was my old iPad 2 which is MIA. I had to get the issue resolved through customer support and could not access my account at all in the meantime. Sounds similar to the other poster I quoted below.
I'm confused. I've been following the news about Apple introducing Passkeys. Does this whole "physical security key" thing work in conjunction with Passkeys, or is this a totally separate thing?
This seems like it would be a step back in some ways. I don't like the idea of using a physical object to keep my accounts secure, especially since multiple people have commented about how their Yubikeys broke. Then other people are saying you should set up two just in case one breaks...why not set up three or four or five? Where would it end? That's like saying you should buy two computers in case one fails. If it's something important and these things are prone to failing, maybe people shouldn't be using them...
This seems like it would be a step back in some ways. I don't like the idea of using a physical object to keep my accounts secure, especially since multiple people have commented about how their Yubikeys broke. Then other people are saying you should set up two just in case one breaks...why not set up three or four or five? Where would it end? That's like saying you should buy two computers in case one fails. If it's something important and these things are prone to failing, maybe people shouldn't be using them...
You only need two hardware keys, one for primary use, one for backup. With Apple's proposed implementation, most people might be able to get away with one key. If one or even both are destroyed, turn off hardware key auth on a trusted device until you secure new ones then reenable. Quick, easy.
Other sources indicate that completing setup requires that you have two dongles/physical keys, so you will always have a backup. Folks working with military or corporate research data may be familiar with insertable cards, or dongles that display a 6-digit code that changes every minute or two (or similar). I've had to replace these in the past (on Windows) but it's been 5 or more years ago. I believe the change over from an expired/dead/damaged card or dongle required downloading some bit of code from a corporate IT website (server at an off-site location). Unsure how Apple will handle issues with dongle (assume that would be handled by technical support at the dongle manufacturer).
One of the major suppliers of changing numeric code key fobs had a big security lapse maybe 7-10 years ago. Non-US support folks had access to servers that were synchronized with the key fobs. It resulted in a very expensive replacement of the key fobs and codes by the acquiring company (WMWare, I think). I remember a huge number of FedEx mailers containing new key fobs, cannot remember the process for changing over from old to new key fobs. Believe that the codes and servers were exposed when IT staff changed due to acquisition of the key fob provider. I think the prior owner of the key fob company was EMC, and before that RSA SecurID(?) Not sure that any of these companies still provide similar products; I think they marked mostly to corporations. I found this, some of these look familiar, but price seems much to high for the home user. securid token (google search)
Looks like RSA SecurID has changed hands a few more times over the years:
Consortium Buys RSA Portfolio from Dell for $2 Billion -- Redmond Channel Partner
A consortium of companies has purchased Dell's RSA security solutions businesses, including the RSA Conference, in an all-cash deal valued at $2 billion.
Last edited:
From my understanding, it’s the same standard.
Passkeys are just a virtual security key located on Apple devices. Having the physical keys are better and more secure in some respects. Other platforms, like 1Password and Microsoft Authenticator, will also offer the virtual security keys.
At the same time, Apple is now enabling these security keys (virtual or physical) to sign into Apple IDs.
However, I believe this was already possible in some ways. If you go to an online Apple service on Safari while signed into iCloud on the OS, you can use TouchID (for example) to automatically sign into the same Apple ID on the website. This limited functionality has been around for a while.
That’s why I said an option. The world is full of “what ifs” this is why I make a plan ahead of time for emergencies.
My wife, kids, parents, and in-laws all have each others back up code/key in their 1Password family vault that the family shares. We all have each other as each Account Recovery in iCloud.
Assuming we have have multiple hardware keys for each account, we will have spare keys at each others houses.
I don’t want sms as a back up, I want to option to turn it off. Sms is extremely weak.
I already use Yubikeys for any account that will take it. I have 5 of them total:
- 1 around my neck on a dogchain style necklace.
- 1 attached permanently to a USB-C port on my docking hub
- 2 in different safes in my house
- 1 in a safe at my parent's place.
I started using them when google allowed people to use Advanced Protection a while ago. I love that it isn't possible to log into my Google account without one of my keys. Likewise for my Login.gov and other important accounts. Except for my stupid bank...which insists on using lame SMS 2-factor.
I like your way of thinking. This is how is should be done.
Last edited:
Then you would use one time account recovery codes that are usually provided when enabling 2FA.
I’m in the same camp as @Mr. Heckles and @lordhamster.
I don’t want or need to have a prioritized list of 2FA methods. Some sites I use I can verify by hardware token, software token, phone call, sms, or email. And that’s even at sites that have their own dedicated RSAiD device that I had to purchase. It’s insane.
I keep track of the 2FA method in use via tags in my password manager. By far and away, the slowest uptake of hardware keys have been some of the accounts most worthy of the protection — financial institutions.
No. The hardware token isn’t the limitation. The device would need to be running iOS 16.
not really unless you are talking sim swapping. There are point and click phishing deploys. Try it on your friends
Exactly. It’s the user’s responsibility to make sure they have this set up. I do, and so does my family.
I have many Yubikeys of different vintages going back at least 10 years. None of mine have ever failed to work. The only issue I've had to date is that I lost one.