Using Yubikey Security Keys with iOS 16.3 Beta

[F-Train]

I don't think you got my point.
The scenario I'm thinking about goes like this. Someone who knows you personally, like a work colleague, perhaps a distant friend of a friend, or maybe even your spouse who wants to divorce you and is looking for compromising evidence against you, etc., is targeting you specifically. They know your Apple ID, because it's your e-mail address (well, you personally are an exception, I get that, but for most other people the Apple ID is their e-mail). By being long enough around you they will have noticed at some point that you're using a Yubikey that resides on your keychain, and that you use to keep that keychain in a specific pocket of your jacket. Now all they need is an opportunity to get that Yubikey while you're out for a smoke, or in the bathroom, or whatever. They only need thirty seconds. And unless you happen to need something from that keychain immediately upon your return, you may not notice its absence for quite some time... Since you've installed the beta, maybe you can try this out and tell us how it actually is?

Are you putting me on? I have no interest in testing anything based on those scenarios. Let me guess, you use Proton Mail.

At this point, I'm satisfied that I'm not on the same planet as you and this guy @palemonkey.

Time for me to exit this thread.

 

[Vlad Soare]

I have no interest in testing based on those scenarios. Let me guess, you use Proton Mail. Are you putting me on?

At this point, I'm satisfied that I'm not on the same planet as you and this guy @palemonkey.

Time for me to exit this thread.

You're guessing wrong, I don't even know what Proton Mail is. I had to Google it.
Frankly, I find your anger really surprising. I'm interested in these new features and was hoping we could discuss them and get a better understanding of how they're supposed to work. I fail to see what part of what I said may have offended you so badly. I didn't mean to upset you, but under these circumstances I agree that your exiting this thread may be the best thing to do.

 

[palemonkey]

I have a couple of keys arriving in the next few days so will be happy to test the recovery process and report back here 👍

 

[palemonkey]

I added 2x security keys to my account today. I updated a spare device to iOS 16.3 and ran through account recovery as if I had forgot my password:

1. Entered Apple ID
2. Asked me for the phone number associated with the account
3. Sent a notification to my trusted devices, I ignored this
4. Asked for my security key, I held the key to the phone
5. Asked for my Recovery Key, this cannot be bypassed

So the good news is that Security keys seem to replace recovery codes but an account cannot be taken over using security keys alone 👍

Edit: With some (most?) Fido2 keys you can set a 63 alphanumeric pin code too.

 

[Vlad Soare]

That's good to know. Thank you!

 

[maryland]

I added 2x security keys to my account today. I updated a spare device to iOS 16.3

Thanks for testing and sharing!

Do you have other devices logged in with the same Apple ID but with older versions of iOS, macOS etc? Will they fall back to one-time codes?

I know the other new security feature (expanded e2e encryption) definitely requires iOS 16.2+ but I haven’t seen information about security keys when it comes to what happen to devices stuck on old system versions.

 

[FreakinEurekan]

Apple doesn't allow me to use my standard e-mail address for my Apple ID. It actually prevents it. I think that this is pretty common, if not the norm. I use an address that is used for no other purpose. There is no prospect that someone other than me (and a family member that I've specified) will know my Apple ID e-mail address.

Yeah, that’s…. Not a thing. The VAST majority of Apple IDs are the person’s primary email address. Really the only exceptions, are people who have set up an Apple ID in the past on their primary address, and then another Apple ID (for whatever reason) that they’re using for purchases, so that’s the one they use by default. It does happen, but not what I’d call “Common.”

Sometimes, even those can be rectified by logging into the old, abandoned Apple ID and changing it to some other email (e.g. a throw-away Gmail account), then 30 days later change the “Real” Apple ID to the permanent email. But, a couple of caveats: (a) that only works with non-Apple emails (e.g. not @me.com/@mac.com/@icloud.com), (b) ya gotta be able to log into the old account in order to change it; if you’ve forgotten the password & forgotten the security questions etc you may be SOL, (c) if the old Apple ID was actually DELETED then you’re SOL because Apple will prevent that email from being used again.

TBH it’s more of a “power user” problem, most normal users don’t fiddle with multiple accounts or try to delete their old ID so they don’t run into the problem.

 

[palemonkey]

Thanks for testing and sharing!

Do you have other devices logged in with the same Apple ID but with older versions of iOS, macOS etc? Will they fall back to one-time codes?

I know the other new security feature (expanded e2e encryption) definitely requires iOS 16.2+ but I haven’t seen information about security keys when it comes to what happen to devices stuck on old system versions.

No worries!
Yes I tried it on an older device running 16.2 and the bit where it prompts for a security key it then errors and you cannot continue.

 

[iwan073]

What I'm wondering is, when you lock your iCloud with a Key, it gets locked on all your devices, right?
So how's this gonna work with my MacBook Pro from 2015, which doesn't get MacOS updates anymore?

 

[palemonkey]

What I'm wondering is, when you lock your iCloud with a Key, it gets locked on all your devices, right?
So how's this gonna work with my MacBook Pro from 2015, which doesn't get MacOS updates anymore?

I don't know for certain but I don't think you would be able to sign into iCloud on that device. I tried to sign into a device running something older than iOS 16.3 and it told me I had to update my device.

 

[Wildkraut]

I added 2x security keys to my account today. I updated a spare device to iOS 16.3 and ran through account recovery as if I had forgot my password:

1. Entered Apple ID
2. Asked me for the phone number associated with the account
3. Sent a notification to my trusted devices, I ignored this
4. Asked for my security key, I held the key to the phone
5. Asked for my Recovery Key, this cannot be bypassed

So the good news is that Security keys seem to replace recovery codes but an account cannot be taken over using security keys alone 👍

Edit: With some (most?) Fido2 keys you can set a 63 alphanumeric pin code too.

That's courage, risking a lockout due to beta bugs!

 

[iStorm]

That's courage, risking a lockout due to beta bugs!

Hopefully palemonkey was using a secondary Apple ID in addition to the non-primary device, as one should do when testing beta software. I remember many years ago some iOS betas would mess up people's iCloud data and photos because the update triggered a server-side upgrade to their account, and it was buggy.

 

[maryland]

I don't know for certain but I don't think you would be able to sign into iCloud on that device. I tried to sign into a device running something older than iOS 16.3 and it told me I had to update my device.

So the feature is now live, including a support page:

About Security Keys for Apple Account - Apple Support

Physical security keys provide extra protection for your Apple Account against phishing attacks.

support.apple.com

Now, I understand that with security keys enabled, we can’t login on devices running old versions like iOS 15 and macOS Monterey.

On that support pages it says (my emphasis):

During set up, you're signed out of inactive devices, which are devices associated with your Apple ID that you haven't used or unlocked in more than 90 days. To sign back into these devices, update to compatible software and use a security key. If your device can't be updated to compatible software, you won't be able to sign back in.

My question is: what happens to active devices stuck on old OS versions that are already logged in? I read it as they will stayed logged in, but is that only wishful thinking?

 

[southerndoc]

Anyone know if the Yubikey Bio series (USB-C) are compatible with unlocking iCloud on an iPhone using a USB-C to Lightning adapter?

 

[BeauGiles]

Anyone know if the Yubikey Bio series (USB-C) are compatible with unlocking iCloud on an iPhone using a USB-C to Lightning adapter?

Apple Support suggests it should. https://support.apple.com/en-us/HT213154

USB-C connectors work with most Mac models, and can work with iPhone with a Lightning-to-USB-C adapter.

 

[southerndoc]

Guess I'll just have to try it. I'm guessing there is a way to disable it after enabling?

 

[southerndoc]

I set everything up with the 2 YubiKey Bios using my Mac Studio. One is a USB-C Bio and the other is a USB-A Bio.

Unfortunately, the USB-C Bio did not work on my iPhone with a USB-C to Lightning adapter. I ended up deleting the hardware keys and went back to the old school MFA using known devices.

 

[Vlad Soare]

Unfortunately, the USB-C Bio did not work on my iPhone with a USB-C to Lightning adapter.

Not all adapters work. I seem to remember reading that some people had issues with Yubikeys and cheap USB-C to Lightning adapters. Some of these adapters are only meant for charging an iPhone using a laptop cable, not for transferring data. You need one that's specifically designed for data transfer.

 

[Vlad Soare]

My question is: what happens to active devices stuck on old OS versions that are already logged in? I read it as they will stayed logged in, but is that only wishful thinking?

When I registered the keys, it listed all my active devices and asked me which of them (if any) should be logged out. I opted for none.
At the time only my Mac had been upgraded to the latest Ventura. My iPhone was still in the process of downloading the 16.3 update, so theoretically it wasn't up to date yet. And my Apple TV is still on 16.2. And yet it allowed me to keep them signed in.

 

[MTShipp]

Not all adapters work. I seem to remember reading that some people had issues with Yubikeys and cheap USB-C to Lightning adapters. Some of these adapters are only meant for charging an iPhone using a laptop cable, not for transferring data. You need one that's specifically designed for data transfer.

I agree. Since iPads don't support NFC and don't use USB-A. I am able to use a USB-A to C adapter to plug my Yubikey 5 NFC (USB-A) into my iPad by using an adapter. I got lucky with my adapter I suppose. I NFC to my iPhone and adapt to my iPad.

 

[southerndoc]

Not all adapters work. I seem to remember reading that some people had issues with Yubikeys and cheap USB-C to Lightning adapters. Some of these adapters are only meant for charging an iPhone using a laptop cable, not for transferring data. You need one that's specifically designed for data transfer.

I did order it off Amazon so go figure.

Open to suggestions for one that might work.