Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,477
30,703


With the launch of iOS 16.3 and macOS 13.2 Ventura, Apple added Security Keys for the Apple ID, offering a more robust way to protect your Apple account and everything associated with your Apple account.

yubico-5c-nfc.jpg

A Security Key is a physical device that works with two-factor authentication. Instead of using a code generated by a secondary Apple device for authentication, when you log into your Apple ID on another device after setting up Security Keys, you need to authenticate through a physical key that's actually plugged in to your device.

You can use any FIDO Certified security key to activate the feature, and Apple recommends the YubiKey 5C NFC and the YubiKey 5Ci, two devices sold by Yubico. Yubico sent me a pair of its security keys so that I could try them out with Apple's Security Key function.

yubikey-close-up.jpg

The YubiKey 5Ci has a USB-C connector and a Lightning connector so that it can be plugged into iPhones, iPads, Macs, and other devices that use these connectors, while the YubiKey 5C NFC has a USB-C connector and the ability to interface with NFC-enabled devices.

With Apple eliminating the Lightning port in the iPhone this year and because I don't own any devices without NFC, I opted for the YubiKey 5C NFC for futureproofing, but if you plan to have an iPhone or an iPad with a Lightning port for an extended period of time, the 5Ci might be the better option if you're interested in using Security Keys.

yubikey-in-hand-size.jpg

Security Keys can be set up on the iPhone, iPad, or Mac. Note that whatever security key product you pick, you have to have two, not just one. Apple requires dual security keys for redundancy purposes, and Yubico recommends a pair as well. The reason for this is because if you lose your physical security key, if you don't have another in a safe place, you're going to lose access to your Apple ID. You're going to want to store the Security Keys in two separate locations.

On an iOS device or Mac, Security Keys can be enabled through the Password and Security section of the Settings app. Before you can add a Security Key, you need to sign out of all inactive devices, which includes devices that you have not used in the last 90 days. Older devices won't support Security Keys at all.

I had to go through this process, and I want to note that it didn't quite work properly (which is not the YubiKey's fault). Apple's process signed me out of the unsupported devices or devices I had not logged into, but then the Security Keys setup would not progress. I swapped over to the Mac to continue, and had better luck.

yubico-5c-nfc.jpg

The setup process required me to connect the security key, which I did using USB-C, and then I had to press on the key to get the Mac to recognize it. Apple had me give it a name, and then repeat the process to add the second security key.

mac-security-key-setup.jpg

After that, I was instructed to review my list of active devices and choose whether to sign out of any of them. There was an option to stay signed in to everything, which is what I selected. Following the setup process, Apple instructed me to store the keys separately and in a safe place, and clarified that I can add additional keys in the future.

apple-security-keys-added-mac.jpg

There's also a single line on the bottom of the setup screen that makes it clear Apple has no way to help access an account that is tied to a security key if both keys are lost, a warning that should probably be in bolder text. Apple sends an email about the Security Key setup process, and in both Mac and iOS settings, I can view my connected Security Keys and remove them.

apple-security-key-login-process-mac.jpg

When I attempt to sign into my Apple ID on a device on the Mac, I'm instructed to insert and activate one of my security keys. This process requires inserting the key into a USB-C port and pressing on it to activate it. I receive notifications across all of my devices when a login attempt is made.

security-key-login-apple-id.jpg

On an iPhone, the login process is similar, but the YubiKey needs to be held near the iPhone's NFC reader (the top of the device) and activated for authentication. In general, it's a simple process on every Mac, iPhone, and iPad I've tested it with. All of my devices are running iOS 16.3 or later or macOS Ventura 13.2 or later, and they all support USB-C or NFC. On devices that are not updated or do not support USB-C/NFC, the process might not be as seamless and could require adapters.

apple-id-login-warning.jpg

My major worry activating Security Keys is that I'm going to lose one. YubiKeys and other security keys are small, unobtrusive, and easy to lose since they're designed to be kept secret and hidden. The YubiKey has a hole at the top for a keyring, so I'm going to add a keyring to one that will remain in a secure place in my office, and the second will go somewhere safer.

Two-factor authentication with a physical security key is more secure than authentication with a digital code, according to Apple, but it's a little riskier. I can't track my YubiKeys if they're lost, but I can track down all my secondary Apple devices if I should lose one and need it for a code. That said, the authentication process is super easy, and it's even quicker than getting a code from another Apple device.

yubikey-authenticator-app.jpg

YubiKeys don't need to charge and seem to be durable so far based on anecdotal reports from YubiKey users, which is good because I'm also worried about breaking one. Ultimately, I think I may add a third key to my account just for another layer of protection, since there's little chance I'll lose or break three at one time. There's an IP68 water resistance rating so it can hold up to liquid immersion, and it has a storage temperature of -4 °F to 185 °F.

You won't need an app to use a YubiKey for some services (like with an Apple ID or Twitter), but for others, the Yubico Authenticator will need to be installed. The Yubico Authenticator is like Google Authenticator or Authy, generating a code that uses the YubiKey.

twitter-security-keys.jpg

I was not able to set up the YubiKey with Instagram because Instagram's authentication process plus the Yubico app simply would not work. The app would not recognize the key, so be aware that there may be some troubleshooting involved. There are limitations with the YubiKey in terms of supported accounts. It can store up to 25 FIDO2 credentials for password-free logins, two OTP credentials, 32 OATH credentials for one-time passwords (when paired with the Yubico Authenticator), and an unlimited number of U2F credentials. If you have more than 32 accounts where you need one-time passwords, the YubiKey might not be the best solution because it only works with 32 logins.

yubikey-front-and-back.jpg

In addition to an Apple ID, the YubiKey works with other websites and services with two-factor authentication. Google, Microsoft, 1Password, LastPass, Facebook, Twitter, Instagram, bitcoin wallets, government accounts, and a bunch more are all supported.

Bottom Line

If you're aiming to better secure your Apple ID through physical authentication using the Security Keys feature, the YubiKey series is worth looking at. It offers better protection than you'll get through digital codes, but it is expensive and there are some limitations to be aware of if you want a multi-purpose physical authenticator.

How to Buy

The YubiKey 5C NFC that I used in this review is priced at $55, and it can be purchased from the Yubico website. The YubiKey 5Ci with Lightning connector and USB-C connector is priced at $75.

Article Link: Review: Yubico's 5C NFC YubiKey Works Well With Apple's Security Keys Feature
 
  • Like
Reactions: Jay-Jacob

timestride

macrumors newbie
May 30, 2019
10
57
Recently got on the YubiKey train and they work great. One thing that continues to be a disappointment regarding Apple is how easy it is change your Apple ID password. While the physical hardware key keeps other people from logging into your account, it does not actually protect changing your Apple ID password on your actual device. All you need is your pin, and frankly that is not enough. I wish they would require at least your full Apple ID password or a 2nd factor like a YubiKey in order to change.
 

Hogswarts

macrumors member
Feb 13, 2022
86
237
I tried the same yubikeys and went back to the old way of Apple’s 2FA. I kept getting prompted for a security key that was stashed in another part of the house. I don’t want to carry—and guard—yet another device when I travel. iPhone failure on the road? You’re going to need a key with you to activate a replacement iPhone. I’m sure keys are the best choice for Apple to control access to its intellectual property, but for average users I wouldn’t recommend.
 

Tune

macrumors newbie
Dec 8, 2022
4
13
Apple is trying to get rid of your wallet and keyring. These keys seem like a step backwards.
What is this stupid obsession apple users have with not wanting to carry stuff? You really want to get rid of all your physical things and trade it for software based crap so that way apple can come along a few years down the road and monetize your access with yet another subscription. You know they will try at some point too!
 

Roadster Lewis

macrumors 6502
Apr 27, 2021
290
356
Coventry, UK
I had been considering getting a couple of these, but didn’t realise that they only work on the very latest macOS. I still have a 2025 12” MacBook that I use occasionally.
 
  • Like
Reactions: addamas

Big Pete

macrumors newbie
Oct 18, 2008
2
2
I bought 2 YubiKeys which worked well with my iPhone and iPad. But then I could no longer use the iCloud for Windows app on my PC. So I've removed my YubiKeys until such time as Apple update iCloud for Windows app.
 
  • Like
Reactions: onenorth

twocents

macrumors 6502
Mar 31, 2016
425
2,101
California, USA
I thought the same thing. Is this a security risk somehow?

Also, I would most definitely buy three of these because the stakes of losing access are really really high.
I got three yubikeys, with one on my carkeys, another on a lanyard and the third permanently on my imac

Great experience thus far and looks to cover all possible scenarios that I have come across
 

ZZ9pluralZalpha

macrumors regular
May 28, 2014
244
369
What is this stupid obsession apple users have with not wanting to carry stuff? You really want to get rid of all your physical things and trade it for software based crap so that way apple can come along a few years down the road and monetize your access with yet another subscription. You know they will try at some point too!
Even setting aside the apparent preference for a George Costanza wallet, an iPhone or Apple Watch is a multi-purpose device that is locked with biometric authentication or wrist monitoring (with a very strong passcode) and can be remotely disabled or wiped if lost or stolen. A Yubikey is an additional item that does not have any built-in protection against use by unauthorized parties, visually announces that it is a key guarding something valuable, and is still dependent on software/services which could decide to introduce usage fees. In my view, having my existing devices act as 2FA for each other still wins out over adding a Yubikey to the mix, just as having my password manager app generate time-dependent passcodes is preferable to bringing back the old SecurID keychain fobs.
 

needsomecoffee

macrumors 6502
May 6, 2008
430
940
Seattle
I have been arguing with USAA for years now to support FIDO (they have good phone-based customer support). Based on forum comments on this topic I am not alone. I use three different banks (2 banks, 1 S&L). None support FIDO althought the S&L has their own hardware key. It appears this is common for banks and S&Ls. WTH. Does anyone know why banks (which I think for most consumers are the most important login) REFUSE to support FIDO ?? USAA forces one to use 2FA via mobile phones... Yeah super secure USAA. Appreciate your insights.
 

ypl

macrumors newbie
Jan 30, 2022
27
30
Recently got on the YubiKey train and they work great. One thing that continues to be a disappointment regarding Apple is how easy it is change your Apple ID password. While the physical hardware key keeps other people from logging into your account, it does not actually protect changing your Apple ID password on your actual device. All you need is your pin, and frankly that is not enough. I wish they would require at least your full Apple ID password or a 2nd factor like a YubiKey in order to change.
Same story. Feeling safe for 2nd step of 2FA (3 Yubikeys in three different locations).
But - their approach to 1st step of 2FA (password) is a shame indeed. Changing password should be allowed only by providing old password, using security key or recovery key. What's the point of having high level of security for 2nd step, while keeping 1st step so weak at the same time.
 

CarAnalogy

macrumors 601
Jun 9, 2021
4,191
7,719
Apple is trying to get rid of your wallet and keyring. These keys seem like a step backwards.

Kind of. But in a way digital security was a step backwards since physical objects can be secured in a way digital things can’t. This isn’t for everyone but for those that need it, there’s not really any better solution that anyone has come up with.
 

Joe Mac User

macrumors member
Sep 15, 2004
79
141
Houston, TX
With Apple eliminating the Lightning port in the iPhone this year
🥸

Uh huh.

I find this fascinating. In the pro music world, we have been forced to use products like iLok, which most people hate and don’t trust because of potential loss or failure of the device. Now general users are being encouraged to use a hardware key to authenticate themselves. Hmmm.
 

ttyRazor

macrumors regular
Sep 24, 2019
227
352
Recently got on the YubiKey train and they work great. One thing that continues to be a disappointment regarding Apple is how easy it is change your Apple ID password. While the physical hardware key keeps other people from logging into your account, it does not actually protect changing your Apple ID password on your actual device. All you need is your pin, and frankly that is not enough. I wish they would require at least your full Apple ID password or a 2nd factor like a YubiKey in order to change.
That’s the one thing I would have gotten a pair for, and I’m surprised it isn’t required for password changes or similar settings, or at least an option. You need both the key and the password to log into a new device once this is enabled, right?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.