Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Review: Yubico's 5C NFC YubiKey Works Well With Apple's Security Keys Feature

I have read that if you lost your security key, you can delete it on a trusted iOS device. All you need is your phones passcode. I have not tried this since I did not buy a security key when I found out about this loophole. The severe ios Passcode flaw enables you to change any iCloud settings, such as changing the iCloud password, delete security key(unverified), delete all recovery keys, and delete all other trusted devices from the account. All without any 2FA. If you someone stole your trusted iphone and figured out the passcode, they can completely lock out your iCloud account, data and purchases. Apple will not help you recover your account. This has happened to a few owners.

I like to hear if anyone can delete the security key and change the iCloud password on the trusted device using only the passcode.

thanks
Al
 
  • Like
Reactions: addamas
I think it’s very good for enterprise environment where there is a service maintaining copies and managing access to devices but I wouldn’t recommend for anyone to do it.
If you want to be safe you’ll need to have at least one or two copies in a safe that is not in your home and make sure to test them regularly so that if they stop functioning you can replace them in time.

If you don’t take these precautions you run the risk to completely lose access to your account if anything happens to your main yubikey or if you have a major incident at your home.
 
  • Like
Reactions: msackey
Seems like a way to make 2fa even more cumbersome than it already is. Carrying around an USB-stick that will eventually die from wear on my keychain? I imagine using it is like going phone-searching when I need 2fa now, just with the difference that the airtag on my keychain is not as loud and the sound not as easy to detect as findmy on my phone.

I understand the need for security, but the only time 2fa doesn‘t annoy me more than the feeling of security I get from it is when I log into iCloud from my Mac and the 2fa-code pops right up on my screen. I guess I‘m not YubiKey‘s target audience 😂
 
  • Like
Reactions: addamas and msackey
Hogswarts said:
I tried the same yubikeys and went back to the old way of Apple’s 2FA. I kept getting prompted for a security key that was stashed in another part of the house. I don’t want to carry—and guard—yet another device when I travel. iPhone failure on the road? You’re going to need a key with you to activate a replacement iPhone. I’m sure keys are the best choice for Apple to control access to its intellectual property, but for average users I wouldn’t recommend.
Click to expand...
I absolutely agree. I can definitely imagine that for certain folks (e.g., high profile people, even certain journalists) this kind of security is really a must. However, for many average folks, this is just too much of an inconvenience. I too have pondered over Yubikeys, but I also do not want to have to be tethered to certain physical objects as I go about my daily life. True, I‘m pretty much tethered to my Apple Watch but it serves more than just a 2FA device. It has many other useful functions.
 
alchemistmuffin said:
I know I might be in the minority here but…..

$55?!?!?!?? THAT’S OVERPRICED!!!!!!! (LET ALONE YOU NEED TWO SO ITS $110 TOTAL!!!!!!!!!)


If companies wants security keys to become the norm for logins, they need to convince the companies that make the security keys to lower down the price. I know there’s lot of components needed to make the device secure but average consumers don’t care about that. They want it at affordable price, like at $9.99 (which is average price of 1 TB usb drive. at $110, i can buy 10 of those, which is not necessary)
Click to expand...
It is quite high priced, especially when you’re required to purchase 2 if using the Apple system. That said, maybe consider that this kind of 2FA is not for most people? I think many people will find it highly inconvenient to have to tag along a physical object whose sole purpose is for 2FA. I can imagine using this in a corporate environment for my corporate work, but not for my personal life.
 
I have a couple of YubiKey 5C s that I brought three years ago and m1 macbook air is reluctant to recognise them. They still work fine with a Windows 11 laptop.
 
1. No, Apple has NOT announced they are removing the Lightning port from iPhones. This is fraudulent reporting.

2. Using a hardware key puts yourself in much greater physical danger of being harmed, making it easier for a hacker to get into your account by simply assaulting you and running a standard PIN guessing algorithm.
 
  • Haha
Reactions: chachawpi
There is still the fact that the key won't protect you from having your AppleID password changed. The passcode is all you need to change the AppleID password, and even remove the key.
 
  • Like
Reactions: addamas
ZZ9pluralZalpha said:
I agree with most of that—and of course, we’re likely all screwed against really targeted attacks—but it just seems like the security gain from an hardware key is rather minimal in exchange for its inconvenience (true, good security doesn’t care about my whiny complaints there) and the additional, if rather inaccessible, attack surface that it does represent. A random pickpocket might not be able to reset my accounts without my password, but I can’t do anything either until I retrieve the Yubikey or a backup; worse, it’ll cooperate fully with whoever happens to physically possess it, so if I forget it plugged into or near a logged-in terminal, the key won’t simply lock itself after some inactive period and I can’t send a remote lock command until I get to one of my other keys. Even according to Yubico, the primary difference between a hardware key and a passkey is that passkeys are by default copyable—and that seems like something that could be set to 90+% certainty in software alone, 99+% with hardware integration a la Secure Enclave. (Please correct me if I’m wrong, I’d love to learn!) It’s a niche application, but I wouldn’t be surprised if Apple closes the gap with some sort of device-to-device authentication—and it would also help drive hardware sales, conveniently…
Click to expand...
There seems to be some misconception and cynicism among the commentariat here, but as I wrote above, this is primarily to make phishing more difficult, and phishing is far more common than device theft. And if you lose your phone then you are out of luck even with a OTP generator. The hardware key is just an alternative to the OTP scheme.

None of these solutions are perfect, but we have options and I like having options. I have set up YubiKey for some of my critical accounts but not for my Apple ID because it doesn't currently work with iTunes for Windows, which I still use to make local backups of our devices. But otherwise I would. It's not a big deal to carry one of these things on my keychain when I am away from home and leave another one at home.
 
  • Like
Reactions: riverfreak
Problem with YubiKey and other similar devices is there are certain enterprise environments which prohibit USB and wireless devices, so you are forced to use passwords.
 
I ordered two of these keys over a year ago. Returned both of them because the NFC was so bad. It would not connect with the phone on a consistent basis. Maybe it works better for others.
 
There are a lot of confidently incorrect, uninformed or misinformed commenters here. It’s been a laugh reading how some of you think security keys work or what they’re for 😂
 
Apple_Robert said:
The hardware key Apple introduced is basically for authenticating new devices, as far as I am aware. It is not needed on a daily basis with the phone.
Click to expand...
Right, my iPhone doesn't fail on a daily basis, but if it did fail and a key wasn't readily available to activate a replacement iPhone, I'd be screwed. A key is just one more thing to have to remember to pack and guard when traveling.
 
alchemistmuffin said:
I know I might be in the minority here but…..

$55?!?!?!?? THAT’S OVERPRICED!!!!!!! (LET ALONE YOU NEED TWO SO ITS $110 TOTAL!!!!!!!!!)


If companies wants security keys to become the norm for logins, they need to convince the companies that make the security keys to lower down the price. I know there’s lot of components needed to make the device secure but average consumers don’t care about that. They want it at affordable price, like at $9.99 (which is average price of 1 TB usb drive. at $110, i can buy 10 of those, which is not necessary)
Click to expand...

You don't need or even want the $55 key. Get the 5C NFC Security key. It's $29.

And for people that think this is just for securing your Apple account, it's not. It's for security any accounts that implement security keys. For me this is about 20% of my financial institutions, 100% of email providers.
maryland said:
It will absolutely work. In fact, it looks like at least one of the keys in this review is the cheaper FIDO only security key, previously known as the blue key.

Look at the screenshot showing the back of the key. It says “FIDO”, which in this context means “FIDO only” and is printed on the cheaper key to distinguish it from the multi-protocol key, now that the two models share the colour black. You can check it on the Yubico store, the Yubikey proper and the black FIDO only key have different back sides.

This explains why the reviewer couldn’t get the Yubico Authenticator app to work, it’s simply not supported in the cheaper key.
Click to expand...
Keep in mind that the Yubikey Authenticator only has like 20 or 30 slots.

So for most people they will need to bifurcate their TOTP codes between multiple services/apps.
 
b0fh said:
I have been using YubiKeys since v2 or v3 of their keys. Love them. They are essentially unbreakable. However, I would never get a YubiKey 5Ci. Those are fragile and easily break if you leave them on a keychain. I've had multiple 5Cis break. Never get a 5Ci.
Click to expand...
Totally the same experience. Purchased four. All four broke. Terrible.
 
CarAnalogy said:
I don’t think so. Basically what the hardware key is, is a private key on read only memory. Just like any other private key it’s just used as the basis to validate your public key that is in the accounts you use it with. I don’t believe there is any sort of revocation. Once you have the private key the negotiation is between that key and the services you use it with.

As far as the NSA, if the NSA is after you, you are ****ed. But the NSA is not after you, because you wouldn’t be asking that question.

Whether the government has backdoors into systems is kind of outside the scope of this. The key is not the weak point. You and the services you use are the weak point. If the FBI wants it they will knock your door down at 4 AM and take it.
Click to expand...
Great. Now that you mentioned the NSA they’ll be all over this thread looking for Apple leakers and other nefarious types.
 
ChromeAce said:
1. No, Apple has NOT announced they are removing the Lightning port from iPhones. This is fraudulent reporting.

2. Using a hardware key puts yourself in much greater physical danger of being harmed, making it easier for a hacker to get into your account by simply assaulting you and running a standard PIN guessing algorithm.
Click to expand...
You have a point, but Apple's senior executives did confirm that the iPhone is getting USB-C to comply with EU laws..unlike with micro-USB, adapters aren't allowed so there's no loophole for them to follow. Your second point is confusing, most hackers are not people in your close vicinity, they could be striking from anywhere in the world. The people snatching iPhones and watching the PIN before they do so are using low-tech techniques, not the sort of sophisticated approaches that cracking a hardware key would require.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back