Apple's latest security-focused OS updates add support for hardware-based account verification.
Those with two-factor authentication enabled can now opt to require recognition of a nearby hardware device as one of the two factors to log into an Apple ID account on iOS 16.3, iPadOS 16.3 and macOS Ventura 13.2.
"This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government," Apple said in announcing support for Security Keys in December.
Apple sees the use of physical keys as a logical progression for two-factor authentication, which it first introduced to Apple devices in 2015. More than 95% of iCloud accounts now use it.
"This takes our two-factor authentication even further, preventing even an advanced attacker from obtaining a user’s second factor in a phishing scam," Apple said. The use of external hardware rather than a second software-based check can help prevent attackers from intercepting or requesting data on the authentication attempt.
So what exactly is a physical security key and how do you get one? Apple defines them as "a small external device that looks like a thumb drive or tag." There are two main ways users can present a hardware key during a login attempt. The first is inserting it into an Apple device such as an iPhone or laptop, via a USB-C, Lightning, or USB-A port.
The second option is to use a non-inserted device, which the Apple device detects. This is called an NFC key, or "near-field communication." During a login attempt, a pop-up message on the phone will ask users to "insert and activate one of your security keys. If you have an NFC key, bring it to the top of this iPhone."
Apple provides a list of compatible devices on its support page:
- YubiKey 5C NFC (works with most Mac and iPhone models)
- YubiKey 5Ci (works with most Mac and iPhone models)
- Feitan ePass K9 NFC USB-A (works with older Mac models and most iPhone models)
- Any other FIDO Certified security key; see full list.
Once you acquire the device, you can set it up to pair with your iPhone or computer through the Settings menu. On iPhone, open Settings > [your name] > Password & Security > Add Security Keys. Then follow the onscreen instructions to add your keys.
There are a few limitations for the feature to be aware of. First, you cannot use the physical keys when signing into iCloud for Windows, or on older devices that are unable to receive the iOS 16.3 update. Child accounts or managed Apple IDs also aren't supported, and neither are Apple Watches paired with a family member's iPhone. You must have the watch set up with your own iPhone to use security keys.
Another upcoming security feature, meanwhile, targets attackers seeking to eavesdrop on iMessage conversations. When sending messages, the iMessage Contact Key Verification will notify someone if the person they are messaging is not who they think via an on-screen warning.
Like the physical key, this feature is also designed for "users who face extraordinary digital threats — such as journalists, human rights activists, and members of government" who seek "to further verify that they are messaging only with the people they intend," according to Apple, which previewed the feature last month and says it should roll out globally sometime this year.