One of the new security features in the latest versions of Apple’s operating system is the ability to significantly better secure the Apple ID. Instead of the usual two-factor authentication (2FA), in which codes are sent to all logged-in devices – possibly including the one currently in use – you can now also use a hardware key to authenticate yourself. The manufacturer has now provided more information on this in a support document that is available in English.
Yubikey and Co.
The basic requirement is that all devices used with the Apple ID run at least iOS 16.3, iPadOS 16.3 or macOS 13.2. 2FA must be active for the Apple ID. A “modern browser” is required for use on the web, including current versions of Safari. To sign in to Apple Watch, Apple TV, or HomePod, you must have an iPad or iPhone, as only they can be paired with the security key. Most FIDO-certified security keys should be compatible. Apple cites the Yubikey 5C (with NFC and USB-C), Yubikey 5Ci (with Lightning and USB-C) and the Feitan ePass K9 (with NFC and USB-A, intended for older Macs and iPhones) as examples. At least two keys are required in order not to lock yourself out – one should be securely stored.
Various types of use are not possible with the security key. According to Apple, this is currently still iCloud for Windows (which could possibly change), child accounts and – unfortunately – Apple IDs in managed mode. Also, Apple Watch watches paired with a family member’s iPhone will not work. The setup must first be done on the manager’s iPhone. Furthermore, it is not possible to use the security key to log into devices that lack software that supports the technology.
Security key becomes the second factor
The security key serves as the second factor for all important operations related to the Apple ID. These are logging into the web or on a new device, resetting the password or unlocking the Apple ID (if Apple has blocked it), or creating additional security keys and removing them. The setup can be done on iPhone, iPad or Mac. Setup will automatically log you out of inactive devices (90 days or more unused).
Apple warns that it is the user’s responsibility to ensure the presence of their security keys and trusted devices: “You are responsible for maintaining access to your security keys. If you lose all of your trusted devices and security keys, you can permanently lose your account will be locked out.” Unfortunately, Apple has not stopped using so-called trusted phone numbers for account recovery, which is actually considered a security problem because they could be hijacked. The number must still be stored and will then receive codes by voice or SMS.
(bsc)
