You have 2 of those security keys. You keep one on yourself like house keys and one in a safe location (like in your safe or inside your favorite pair of Air Jordan). You also need to keep a set of (10) backup keys in case you lost both keys.
The downside to keeping your backup key in a less than convenient location is that people may become lax in registering the backup key when signing up with their primary key at some new service/website/etc.
The scenario I am thinking is lising phone with like EDP activated but old iPhone SE (wifi only) can not access the iCloud services you’ve chosen to encrypt.
They are based on the same technology. You can think of Passkeys as a software-based implementation of what FIDO hardware keys do, with additional features such as cloud-based syncing across multiple devices and recovery. Hardware keys have a higher security standard because they cannot be duplicated and the key material cannot be extracted by normal means.
I've been using Yubikeys for several years and never had one fail. Of course they could be physically damaged or you could lose one, so backups are required. Personally I have one on my key chain, one is permanently plugged into my computer, and I keep one as an additional backup in a safe place. All but one of the services I use them for allow to register 3 or more keys (the exception is Bank of America which only allows 2).
I have one 5C (the small one without NFC) which is permanently plugged into my keyboard, the rest are 5C NFCs (I also have a few old USB-A keys but don't use them anymore). I'm not a fan of the 5Ci's design either (not to mention the price) and wouldn't recommend it unless you need to use it on an iPad with Lightning port.
No. I don't think they make much sense.
Simple. Maintain current standards and implementations, including sms verification.
I guess my question is, with this implementation, does enabling the hardware key for iCloud login disable other backup auth methods? Or is it user choice and we can select to continue to allow other devices or SMS auth?
Not enough detail at the moment. But I do wish they don’t just auto disable all other backup methods and leave hardware key as the only way, as that would be a direct contradiction of the principle of security system: regulate access.
And it would encourage new hardware purchases. That old iPad laying around the house would become a paperweight.
developers.yubico.com
Thank you.WebAuthn
Note that logging into Mac wouldn't use FIDO2/WebAuthn but the above describes the process that most sites including what the iCloud MFA Hardware Implementation process would use.
youbikey works over NFC, no need to plug it in. Both lastpass and bitwarden work with youbikey NFC. Only reason you'd have to plug in a youbikey is on a ipad because for some reason apple just can't figure out NFC on ipad.
The confusion is caused by the fact that the black Yubikeys support multiple applications. FIDO and FIDO2 (which are used for Webauthn) are two of them. Additionally they support OTP (a Yubico-proprietary form of one-time codes), PIV (a US government authentication standard), OpenPGP, and OATH (standard TOTP one-time codes). The virtual keyboard thing is only relevant for the OTP application, which is not used for Webauthn (or Apple's new hardware key support). You can en-/disable individual applications on the key using a Yubico utility.
