Apple allows you to use hardware security keys to safeguard your iCloud and Apple ID accounts, providing an additional defense against cybercriminals and eavesdroppers.
Hardware security keys are small, physical devices that authenticate your identity over a network or device using a USB, Lightning, or NFC connection. Because you need to possess the key to access the account physically, it is very resistant to remote attacks. In addition, they prevent phishing attacks by ensuring that your credentials cannot be used on a bogus login page.
In late January, Apple unveiled iOS 16.3 and MacOS 13.2, which included support for security keys. The company also released documentation for utilizing the keys with Macs, iPhones, and iPads. At a minimum, you’ll need to enroll two keys with the organization, but there’s no limit to how many you may add. That makes them easy to store anywhere you like, be it in your desk drawer at work, your pocket, your key ring, or anywhere else.
This action comes after other tech giants, like Google, Microsoft, Twitter, and the parent company of Facebook, Meta, all expressed support for hardware security keys. The U.S. Cybersecurity and Infrastructure Security Agency calls security keys the “gold standard” (CISA) for multifactor authentication.
Following a series of security breaches involving the Pegasus malware developed by NSO Group, Apple has been trying to increase iPhone protection.
In December 2022, Apple released Advanced Data Protection, providing users with a more robust means of encrypting their iCloud-hosted and synced data. In addition, Apple announced iPhone Lockdown Mode in September 2022, which disables certain features to prevent your iOS phone from being used maliciously.
While Apple’s increased data protection tech and hardware security keys give your account an extra layer of safety, the company cannot help you recover access to your Apple ID if you lose them.
Apple says that the functionality is designed for people who, often owing to their public visibility, suffer coordinated threats to their online accounts. We’re talking celebrities, journalists, government officials and son on.
The extra layers of security take two-factor authentication to the next level, preventing threat actors from collecting a user’s second factor in a phishing campaign.
The Industry is Tightening Login Security Protocols
Today, a more stringent emphasis on authentication is seen across industries. For example, anyone logging into casinos on mobile devices or computers should know that the reputable ones implement Public Key Infrastructure (PKI) technology to authenticate users before allowing them access to certain areas of the website in question.
Hackers can get through basic two-factor authentication schemes like security codes sent via text message, and thousands of data breaches have shown the inadequacy of conventional passwords. In January, the Identity Theft Resource Center stated that the number of US residents impacted by data breaches in 2022 was 42% higher as compared to the figures for 2021.
Passkeys and hardware security keys provide security against even the most severe attacks, such as when hackers access a user’s LastPass password manager data.
Even though hardware security keys have been available for a while, the FIDO Alliance has been working toward ensuring they are compatible with each other and a wider range of services. Linkable with websites like Facebook or Twitter, they protect users from all kinds of threat actors. Also, they are the foundation of Google’s Advanced Protection Program for those requiring even higher security levels.
While setting up hardware security, it’s important to use the appropriate keys such as YubiKey 5C NFC or FEITIAN ePass K9 NFC USB-A, for example. A USB Type-C and NFC support key can share information with newer Mac and iOS devices. Apple requires a minimum of two keys, but having more on hand is always a good idea in case you lose one. Apple, Google, and Microsoft accounts, among others, can be authenticated with a single key.
Codes and Keys are More Secure Than Passwords
Passkey login, or passwordless login, is an alternative FIDO authentication system that Google, Microsoft, Apple, and its partners are actively trying to enable more widely. A passkey is a password replacement system that works without physical security keys.
Andrew Shikiar, Executive Director, FIDO Alliance, remarked that passkeys and security keys are complementary. He said either is a significant improvement compared to passwords alone or passwords with login codes delivered through text message or retrieved via an authenticator app.
Passkey biometrics and hardware security key possession are two examples of FIDO technology that facilitate on-premises authentication, making it more difficult for a remote attacker to infiltrate.
Passkeys and physical security can add an extra layer of protection when you really need it. This is not to say that multi-factor authentication (MFA) is useless. It is way better to secure online accounts with MFA than a simple password.