Using Yubikey Security Keys with iOS 16.3 Beta

[F-Train]

I've registered two Yubikeys on my iPhone 11 Pro Max with iOS 16.3 beta, a Yubikey 5 USB-A NFC and a Yubikey 5 USB-C NFC. However, on login I'm asked, as usual, to enter my 6-digit passcode rather than to use one of the Yubikeys. Both keys are working properly for login to my Mac Studio, asking for my Yubikey PIN. My phone is not a new device, so it is not subject to a 2-week wait period that I've read about.

Thoughts on trouble-shooting this appreciated. Screen captures below are from iPhone > Settings > Password & Security.

 

[palemonkey]

Following this thread as I’m interested in setting up keys. You said on login you’re prompted for a code, on login to what?

 

[F-Train]

Hi @palemonkey

When I turn on my iPhone, I get this standard login screen:

Enter Passcode
Your passcode is required when iPhone restarts

I believe that I should now be getting a screen that requires my YubiKey instead.

When I log into my Mac, I'm asked for my YubiKey PIN rather than for my password.

I should acknowledge that I don't have a clear understanding of how a YubiKey interacts with my Mac and iPhone. I find the Yubico website clear as mud

 

[palemonkey]

My understanding is that in iOS 16.3 the Yubikey protects your iCloud account, not your iPhone or Mac. As for your Mac asking for a yubikey pin I presume you have some software installed to make that happen.

 

[F-Train]

My understanding is that in iOS 16.3 the Yubikey protects your iCloud account, not your iPhone or Mac. As for your Mac asking for a yubikey pin I presume you have some software installed to make that happen.

On my Mac, the YubiKey has a Personal Identity Verification (PIV) function like a SmartCard. This function is set up with the YubiKey Manager app or using the Mac Terminal. When the YubiKey is in a USB port on my Mac on login, I'm asked for a PIN rather than for my password. This is handy because I have a fairly lengthy strong password for login to my Mac. While it's possible to set up a YubiKey so that only the PIN will unlock my computer, doing away with password access altogether, I've set up my YubiKey so that either the PIN or the password will work. Whether Apple Passkey via its "Touch" keyboard is a better idea is a different question.

On my iPhone, as you say one possibility is that the YubiKey offers no login function and is only for managing access to my iCloud account. That's what I'm sorting out at the moment, including how it fits with the new function of managing web access to iCloud data. I suspect you're right and that the YubiKey, unlike with my Mac, has no login function.

On iCloud access, I want to figure out what the practical difference is between using YubiKey FIDO2 and not using it.

There's also the YubiKey verification function with third party websites and apps, which so far is working the same as on my Mac.

 

[palemonkey]

On my Mac, the YubiKey has a Personal Identity Verification (PIV) function like a SmartCard. This function is set up with the YubiKey Manager app or using the Mac Terminal. When the YubiKey is in a USB port on my Mac on login, I'm asked for a PIN rather than for my password. This is handy because I have a fairly lengthy strong password for login to my Mac. While it's possible to set up a YubiKey so that only the PIN will unlock my computer, doing away with password access altogether, I've set up my YubiKey so that either the PIN or the password will work. Whether Apple Passkey via its "Touch" keyboard is a better idea is a different question.

On my iPhone, as you say one possibility is that the YubiKey offers no login function and is only for managing access to my iCloud account. That's what I'm sorting out at the moment, including how it fits with the new function of managing web access to iCloud data. I suspect you're right and that the YubiKey, unlike with my Mac, has no login function.

On iCloud access, I want to figure out what the practical difference is between using YubiKey FIDO2 and not using it.

There's also the YubiKey verification function with third party websites and apps, which so far is working the same as on my Mac.

This post has some good information and the YouTube video is very good too.

Security keys are primarily designed to prevent phishing attacks against your iCloud account. Recovery codes from trusted devices or SMS codes can be stolen and then the potential for your iCloud account to be taken over.

 

[F-Train]

This post has some good information and the YouTube video is very good too.

Security keys are primarily designed to prevent phishing attacks against your iCloud account. Recovery codes from trusted devices or SMS codes can be stolen and then the potential for your iCloud account to be taken over.

Like a lot of the people who have made videos about security keys, Jeff Benjamin overstates the case for these keys. At 4:20 of the video, he says "The physical keys replace the security code that we normally use as our second factor of authentication". That is only true of sites that have implemented FIDO2, which at the moment is a very short list of sites. That's why there's a YubiKey Authenticator app that works similarly to Google Authenticator, with the benefit that YubiKey Authenticator works on a Mac well as on an iPhone or iPad. For both practical and user interface reasons, I prefer YubiKey's Authenticator app to Google's, an Authenticator app or SMS being necessary at the moment for the great majority of sites.

Note that Benjamin suggests, starting at 7:35 and 8:20, that a security key does replace the 6-digit passcode for login to an iPhone or iPad. As discussed above, this is not what I'm finding so far.

I'm more interested in security keys and FIDO2 as an approach to device and site login than I am in relation to preventing phishing. I've never been successfully phished and I think that this is a bigger issue at an enterprise business level than it is at an individual user level. That said, it's nice that FIDO2 security means that one can forget about phishing as an issue altogether. I'm trying out security keys because I have several devices, including Windows devices. An Apple keyboard with passkey touch is probably not the best solution for me.

I do believe that FIDO2 will be widely adopted, but people who are implemetng it now are very much early adopters. Ideally, we'll wind up in a situation where one only needs a security key set up for FIDO2 and either a backup security key or a recovery code. On sites that have implemented FIDO2, I am deleting authenticator app and SMS methods of 2-factor authentication. In my view, retaining those methods defeats the whole point of using FIDO2.

A word about YouTube videos about YubiKeys... Yubico paid with free product, and perhaps cash, for almost all of the videos on YouTube. That may help explain why all of them are gushing about the product and gloss over things that I, at least, wanted to know. There are also a lot of errors about security protocols. Yubico's own videos are better than most YouTuber videos. I've found about three YouTuber videos that are actually useful.

I should reiterate that I'm no expert on this stuff and that I'm just trying to figure it out as I go along

 

[F-Train]

Further to the above post, here's a screen capture of the Yubico Authenticator app on my Mac display. When I want to add a site, the app will copy a QR image directly from my display, or I can copy and paste the code accompanying the QR image.

I do prefer using this app to using Google Authenticator on my iPhone or iPad. On a YubiKey, this protocol is called OATH. It is not FIDO2, which replaces passwords and doesn't require these codes.

As discussed in post #5, there is also a YubiKey Manager app. I used that app to set up the PIN for login to my Macs, using the protocol PIV. From my point of view, using a strong password on a Mac is a nuisance. A PIN addresses that. If one wants to do this with an Apple Silicon Mac, one should read the discussion about PIV and Silicon Macs on the Yubico website. That discussion is one of the reasons why I set up my Macs to accept both a PIN and a strong password rather than just a PIN. I'm not concerned that a thief will break my password, my internal drives are encrypted with File Vault, and my Macs are registered with Find My Mac.

 

[palemonkey]

At 7:35 Benjamin refers to a 6 digit code, I believe this to be the verification code used to sign in a new device to iCloud, reset password etc, not an iOS device pin code. Note that you can have a 100 digit code for an iOS device if you wish, or an alphanumeric password, it does't have to be a 6 digit code.

Again, physical keys such as Yubikey are designed to prevent phishing. Something you know (a password) and something you physically have (a key). Lots of people use their iCloud accounts to store their passwords and fairly soon passkeys so preventing access to your iCloud account using a physical key is a nice addition.

I'm not sure in which scenario that somebody has managed to steal your phone, your device pin code how is a security key is going to save you? Surely they'll just steal the key too?

Sites that support FIDO will soon support Passkeys/Webauthn, arguably using a Passkey synced to iCloud and protected with Face ID is a much better experience than carrying around a security key such as Yubikey, although if you’re throwing Windows into the mix I appreciate that complicates matters.

Edit: I guess I should make clear I’m referring to the FIDO part of the security key specifically, I appreciate they can do other tasks such as TOTP entry etc, but in this context and the context of Apple’s implementation I mean FIDO. Yubikey was probably a bad example because some of their keys can perform tasks other than FIDO, such as the screenshot you showed above, but I’m purely referring to the FIDO only type keys.

 

[F-Train]

The Yubico website has a full list of sites that accept its keys as part of two factor authentication. I think that people who are thinking about purchasing a security key or keys should go through the list and identify sites that they use. Many people may discover that it's actually a pretty short list. Yubico also says in each case what protocols the site uses, but it's even better to go to the actual sites and see what they accept.

Note that sites allow one to trust a device, which means that two-factor authentication will not be necessary again for that device for quite some time.

I think that it's also useful to do a Google search for a list of sites that have implemented FIDO2. There are a number of such lists available. At the moment, it is a very short list. It's also worth checking out the FIDO site itself: https://fidoalliance.org/

 

[F-Train]

Hi @palemonkey

You are confusing FIDO and FIDO2 throughout your post. They are not the same thing. Yes, I'm aware of the fact that Benjamin is setting up a new device, but my read of his video is that he implies more than that. He's also using a YubiKey knock-off, which may have a bearing on this. In any event, he has overstated adoption of FIDO2.

The objective of FIDO2 is to replace passwords altogether. That is a big deal. A decade from now, computer passwords may be obsolete, a thing of the past. FIDO2 is a much bigger exercise than addressing phishing.

In any event, YubiKeys are already designed to do more than address phishing. I don't even regard phishing as a significant issue outside an enterprise operation where one may have a lot of people who are not particularly computer savvy. I have never personally seen a phishing attempt that didn't have my antennae up. Yes, it's nice to be able to forget about the issue, but for me it isn't a reason to spend over US$100 on security keys.

Re your comment about theft of a device: "how is a security key going to save you? Surely they'll just steal the key too?".... The whole idea behind a security key is that the key and your computer or phone should be in different places unless you're using them together. That's why a YubiKey has a hole to put it on a keychain. A person who steals one of my computers or a phone is certainly not going to be walking away with my security key.

I gather that you haven't used a security key and it's clear that you aren't familiar with YubiKeys, which are the industry leader and the subject of this thread. As someone who's auditioning YubiKeys, I think that there are pros and cons. I'm sharing my views, and I'm not looking for a debate.

 

[palemonkey]

The whole idea behind a security key is that the key and your computer or phone should be in different places unless you're using them together.

Your own use case describes keeping the key with the computer and phone together at all times 🤷‍♂️

 

[F-Train]

Your own use case describes keeping the key with the computer and phone together at all times 🤷‍♂️ but ok.

What? The whole point is to keep a YubiKey and its device separate except when you're using them together. As I've already told you, that's why there's a hole on a YubiKey to attach it to a keychain.

Like it says in the title, this thread is about YubiKeys. You've already said that you don't know anything about them, which is why I made an effort to explain certain of the features.

 

[Vlad Soare]

The whole idea behind a security key is that the key and your computer or phone should be in different places unless you're using them together.

But if you're using FIDO2 for passwordless authentication, wouldn't it then be enough for the thief to steal just your key alone? Why would he need to steal your computer or phone as well?
Your physical key and your user name (which on most sites is your e-mail address, so it's hardly a secret) would be enough for a thief to log into your account on his own computer, wouldn't it? Or am I missing something?

Also, it seems to me that what Apple is implementing in iOS 16.3 is FIDO U2F rather than FIDO2. That is, if I'm not mistaken, which is entirely possible.

 

[F-Train]

But if you're using FIDO2 for passwordless authentication, wouldn't it then be enough for the thief to steal just your key alone? Why would he need to steal your computer or phone as well?
Your physical key and your user name (which on most sites is your e-mail address, so it's hardly a secret) would be enough for a thief to log into your account on his own computer, wouldn't it? Or am I missing something?

Also, it seems to me that what Apple is implementing in iOS 16.3 is FIDO U2F rather than FIDO2. That is, if I'm not mistaken, which is entirely possible.

As a practical matter, I'm not worried about someone stealing just my Yubikeys. In my situation, the idea is really far-fetched. We're talking about someone who's stolen my entire key ring, knows what a YubiKey is and how to use one, and has figured out what internet accounts I use. In any event...

What can a YubiKey thief do with my Yubikey to log into a machine? Nothing without my PIN and almost certainly my reset code for attempts, which is set at a limit of three.

What can a YubiKey thief do with my YubiKey on an unlocked device? For sites that I've set up for Yubico's Authenticator app, nothing. I haven't yet tried to use my YubiKey on a new device and on a FIDO2 site , but I'll be pretty surprised if there's no control, as far fetched as the scenario is in my circumstance.

On your second point... Whether a website implements FIDO2 is up to the site, not Apple. I can tell you that some sites have indeed done it, although to date it's a fairly short list. I haven't been able to confirm yet what Apple has implemented for iCloud, but it is supposed to be FIDO2. My understanding is that Apple Passkey is a synonym for FIDO2. However, as I've said earlier I'm no expert on this stuff, just trying to figure it out.

 

[Vlad Soare]

Whether a website implements FIDO2 is up to the site, not Apple.

Of course. But I was just talking about Apple's implementation in regard to iCloud accounts, which is coming in iOS 16.3. I thought that was what this thread was about. If the discussion was actually meant to be more general than that, my mistake. 😊

 

[F-Train]

Of course. But I was just talking about Apple's implementation in regard to iCloud accounts, which is coming in iOS 16.3. I thought that was what this thread was about. If the discussion was actually meant to be more general than that, my mistake. 😊

The thread started with a narrow question but has broadened since then. I'm more than happy to see the discussion expand. Your points implicitly raised broader issues than just iCloud. Maybe a security key maven will show up

I made a couple of edits to my post two up, just for clarification, since your post just above.

 

[palemonkey]

iOS 16.3 and macOS Ventura 13.2 Betas Add Support for Physical Apple ID Security Keys

The Security Key is designed to replace the verification codes that are sent to Apple devices when logging into another device, which is the standard method of authentication that Apple uses. Apple says that physical security keys provide strong protection against phishing and unauthorized account access.

 

[Vlad Soare]

The Security Key is designed to replace the verification codes that are sent to Apple devices when logging into another device, which is the standard method of authentication that Apple uses.

That's how I understand it, too.
There's one thing I'm not sure about, though. What happens if someone who knows your Apple ID (which isn't hard to guess, since it's usually your personal e-mail address) steals your security key? Of course they won't be able to log on without knowing your password, but what if they say they forgot it and trigger a password reset process? Will they be able to use the stolen key as proof of identity to have your password reset? Or will Apple ask for other means of identification (perhaps reverting to the standard verification codes sent to your other devices)?

 

[palemonkey]

That's how I understand it, too.
There's one thing I'm not sure about, though. What happens if someone who knows your Apple ID (which isn't hard to know, since it's usually your personal e-mail address) steals your hardware key? Of course they won't be able to log on without knowing your password, but what if they say they forgot it and trigger a password reset process? Will they be able to use the stolen key as proof of identity to have your password reset? Or will Apple ask for other means of identification (perhaps reverting to the good old six-digit codes sent to your other devices)?

That's a good question, would like to know the answer to this too! I see your comment on the YouTube video so will await a response

 

[F-Train]

There's one thing I'm not sure about, though. What happens if someone who knows your Apple ID (which isn't hard to guess, since it's usually your personal e-mail address) steals your security key? Of course they won't be able to log on without knowing your password, but what if they say they forgot it and trigger a password reset process? Will they be able to use the stolen key as proof of identity to have your password reset? Or will Apple ask for other means of identification (perhaps reverting to the standard verification codes sent to your other devices)?

Apple doesn't allow me to use my standard e-mail address for my Apple ID. It actually prevents it. I think that this is pretty common, if not the norm. I use an address that is used for no other purpose. There is no prospect that someone other than me (and a family member that I've specified) will know my Apple ID e-mail address.

If you lose your security key, the next stop is a recovery code, which Apple and other sites don't have a record of. Apple is also unique in requiring a second security key. I think that the reason is that Apple doesn't want to deal with users who either didn't get a recovery code when they set up a security key or have lost the code. It appears to be Apple being paternalistic (if there's a functional reason, I don't know what it is), but I don't object. I have not seen any other site that requires that one have two keys. When I initially purchased a single security key, I downloaded new recovery codes for all of the sites for which I used the key. I now have both a second key and recovery codes. All other forms of two factor authentication are turned off. Retaining them defeats the purpose of the key.

Caveat: The sites that offer two-factor authentication are all a bit different. I have an account with GoDaddy (dormant because I'm not a GoDaddy fan and the number of .NYC registrars has increased), which is unique in that it doesn't offer recovery codes. For GoDaddy, I used my YubiKey for FIDO2 and, as backup, Google Authenticator (not YubiKey Authenticator for an obvious reason). I have not had to do that with any other site. Now that I have two YubiKeys, I will probably de-authorise Google Authenticator for GoDaddy and delete the Google Authenticator app from my phone.

Apple does have a last ditch way, additional to its recovery code, to get into one of its devices. However, this must be set up with the participation of a trusted friend or family member. I haven't done this, and I have't looked at the process recently, but I imagine that it has to be set up before a problem emerges and you're locked out of your device.

 

[F-Train]

I've made some edits to the post just above to add some additional information.

 

[Vlad Soare]

Apple doesn't allow me to use my standard e-mail address for my Apple ID. It actually prevents it. I think that this is pretty common, if not the norm. I use an address that is used for no other purpose. There is no prospect that someone other than me (and a family member that I've specified) will know my Apple ID e-mail address.

That's strange. It must be something new. My Apple ID is my personal GMail address, and so is my wife's and my three daughters'. My little daughter's account was created sometime this spring (around April, if memory serves), and it still allowed me to use her GMail address. If this isn't possible anymore, then it must be a recent change.
Anyway, the thing is, whether the Apple account is linked to a newly created icloud.com address or to an external one, most people will use it one way or the other. So it's hardly a secret. I'd wager that you, having a completely separate address that's never used for anything else than logging in, are the exception rather than the rule.

If you lose your security key, the next stop is a recovery code, which Apple and other sites don't have a record of. Apple is also unique in requiring a second security key. I think that the reason is that Apple doesn't want to deal with users who either didn't get a recovery code when they set up a security key or have lost the code. It appears to be Apple being paternalistic (if there's a functional reason, I don't know what it is), but I don't object. I have not seen any other site that requires that one have two keys. When I initially purchased a single security key, I downloaded new recovery codes for all of the sites for which I used the key. I now have both a second key and recovery codes. All other forms of two factor authentication are turned off. Retaining them defeats the purpose of the key.

Caveat: The sites that offer two-factor authentication are all a bit different. I have an account with GoDaddy (dormant because I'm not a GoDaddy fan and the number of .NYC registrars has increased), which is unique in that it doesn't offer recovery codes. For GoDaddy, I used my YubiKey for FIDO2 and, as backup, Google Authenticator (not YubiKey Authenticator for an obvious reason). I have not had to do that with any other site. Now that I have two YubiKeys, I will probably de-authorise Google Authenticator for GoDaddy and delete the Google Authenticator app from my phone.

Apple does have a last ditch way, additional to its recovery code, to get into one of its devices. However, this must be set up with the participation of a trusted friend or family member. I haven't done this, and I have't looked at the process recently, but I imagine that it has to be set up before a problem emerges and you're locked out of your device.

Indeed, the recovery contact must be set up in advance, on a device you're already logged on.

I'm not worried about getting locked out of my account due to my own negligence. Knowing me, that will most probably never happen. I was just thinking that someone else, who steals my key, might get access to my account by pretending to be me and to have forgotten the password.
I guess it all depends on how the password reset procedure will work. If it requires you to present both keys, or one key and a recovery code, or something like that, then it's safe. The chances of the thief having both keys are slim to none (provided you store them adequately, that is). That may be why Apple requires you to have at least two keys registered at any given time.

 

[F-Train]

What I said in post #21 about Apple e-mail addresses has been true for years. I've been using Apple computers for 13 years, and I don't recall a time when it wasn't true. There's nothing recent about it. I use Apple Mail and have an Apple on-line account. As a result, Apple prevents me from using my "at iCloud" or "at me" e-mail address or any of their derivatives for my Apple I.D. Yes, I've been using Apple computers long enough to be grandfathered on "at me". As it happens, like you I use a dedicated Gmail address for my Apple I.D. I don't use that address for anything else. For actual e-mail, I use Apple addresses and FastMail, the latter for e-mails from and to my registered domains in the form @mydomain.com and @mydomain.nyc.

Of course you need to obtain a recovery code before being locked out. In the last paragraph of post #21, I'm not talking about a recovery code. I'm talking about an additional process that involves a trusted friend or family member. This process has nothing to do with recovery codes.

You need one security key. I explained in post #21, second paragraph, why I think that Apple requires its users to have a backup key. Unsurprisingly, given that it sells security keys, Yubico also recommends two. However, except for Apple security key setup, you only actually need one key and a site recovery code.

I've explained my views on a scenario where someone steals a security key in post #15. I have my primary security key on a key ring and the backup elsewhere in a drawer. There is no reason to have both of them on my key ring. In any event, from my perspective theft of security keys, especially both the primary and backup keys, is so far fetched that it isn't worth worrying about. As discussed in post #15, I don't think that a thief can access my accounts with one of my security keys anyway.

 

[Vlad Soare]

What I said in post #21 about Apple e-mail addresses has been true for years. I've been using Apple computers for 13 years, and I don't recall a time when it wasn't true. There's nothing recent about it.

Then how do you explain that we have five Apple IDs, three of which were created within the last three years (one of them even less than a year ago, as I said), which are all linked to pre-existing GMail addresses?

Of course you need to obtain a recovery code before being locked out. In the last paragraph of post #21, I'm not talking about a recovery code. I'm talking about an additional process that involves a trusted friend or family member. This process has nothing to do with recovery codes.

I said "recovery contact", not code. That trusted friend is called a recovery contact, and he (or she) must be set up in advance.

You need one security key. I explained in post #21, second paragraph, why I think that Apple requires its users to have a backup key.

Sure, that is clearly one reason, namely to save less tech-savy users from themselves. If the second security key were merely recommended rather than required, most people wouldn't bother. When dealing with lots of users it's safer to just force them to use best practices.
However, there may be other reasons as well, and what I said does seem to be quite a likely one (provided that the password reset procedure is the way I suspect - which I can't check myself, as I haven't installed the beta).

I've explained my views on a scenario where someone steals a security key in post #15. I have my primary security key on a key ring and the backup elsewhere in a drawer. There is no reason to have both of them on my key ring. In any event, from my perspective theft of security keys, especially both the primary and backup keys, is so far fetched that it isn't worth worrying about. As discussed in post #15, I don't think that a thief can access my accounts with one of my security keys anyway.

I'm not sure you got my point.
The scenario I'm thinking about goes like this. Someone who knows you personally, like a work colleague, perhaps a distant friend of a friend, or maybe even your spouse who wants to divorce you and is looking for compromising evidence against you, etc., is targeting you specifically. They know your Apple ID, because it's your e-mail address. By being long enough around you, they will have noticed at some point that you're using a Yubikey that resides on your keychain, and that you use to keep that keychain in a specific pocket of your jacket. Now all they need is an opportunity to get that Yubikey while you're out for a smoke, or in the bathroom, or whatever. They only need thirty seconds. And unless you happen to need something from that keychain immediately upon your return, you may not notice its absence for quite some time. Actually, a smarter thief might also put an identical Yubikey back on the keychain, to keep you from noticing the theft for an even longer time - this could buy them days, or even weeks.

Now, that person won't be able to log into your account directly, because they don't know your password. But Apple provides a procedure for resetting the password in case you've forgotten it. Currently that procedure requires you to enter a six-digit code that's sent to another device of yours. The question is, how will this procedure work from now on? Will it take a Yubikey instead of that code - in which case the thief can reset your password and log in? Or will it require both keys - which the thief can't provide, since the second one is stored safely away?
My money is on the latter, but I can't test it. Since you've installed the beta, maybe you can try this out and tell us how it actually is?