Apple now lets you protect your Apple ID and iCloud account with hardware security keys, a physical login technology that offers maximum protection from hackers, identity thieves and snoops.
Hardware security keys are small physical devices that communicate with USB or Lightning ports or with NFC wireless data connections when you’re logging on to a device or in to an account. You must have keys in your possession to use them, so they’re effective at thwarting hackers trying to reach your account remotely. And because they won’t work on fake login sites, they can thwart phishing attacks that try to fool you into typing your password onto a counterfeit website.
Support for the keys arrived Monday with iOS 16.3 and MacOS 13.2, and on Tuesday, Apple published details on how to use security keys with iPhones, iPads and Macs. The company requires you to set up at least two keys.
The move follows hardware security key support from other tech companies, like Google, Microsoft, Twitter and Facebook parent Meta.
Apple has been working to tighten security in recent months, stung by iPhone breaches involving NSO Group’s Pegasus spyware. Apple’s Advanced Data Protection option arrived in December, giving a stronger encryption option to data stored and synced with iCloud. And in September, Apple added an iPhone Lockdown Mode that includes new guardrails on how your phone works to thwart outside attacks.
A big caveat, though: Although hardware security keys and the Advanced Data Protection program lock down your account better, they also mean Apple can’t help you recover access.
“This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government,” Apple said in a statement. “This takes our two-factor authentication even further, preventing even an advanced attacker from obtaining a user’s second factor in a phishing scam.”
Industry tightens login security
The technology is part of an industrywide tightening of authentication procedures. Thousands of data breaches have shown the weaknesses of traditional passwords, and hackers now can thwart common two-factor authentication technologies like security codes sent by text message. Hardware security keys and another approach called passkeys offer peace of mind even when it comes to serious attacks like hackers gaining access to LastPass customers’ password manager files.
Hardware security keys have been around for years, but the Fast Identity Online, or FIDO, group has helped standardize the technology and integrate its use with websites and apps. One big advantage on the web is they’re linked to specific websites, for example Facebook or Twitter, so they thwart phishing attacks that try to get you to log in to fake websites. They’re the foundation for Google’s Advanced Protection Program, too, for those who want maximum security.
You need to pick the right hardware security keys for your devices. To communicate with relatively new models of both Macs and iPhones, a key that supports USB-C and NFC is a good option. Apple requires you to have two keys, but it isn’t a bad idea to have more in case you lose them. A single key can be used to authenticate to many different devices and services, like your Apple, Google and Microsoft accounts.
Yubico, the top maker of hardware security keys, announced on Tuesday two new FIDO-certified YubiKey models in its Security Key Series suited for consumers. They both support NFC, but the $29 model has a USB-C connector and the $25 model has an older style USB-A connector.
Google, Microsoft, Apple and other allies are also working to support a different FIDO authentication technology called passkeys. Passkeys are designed to replace passwords altogether, and they don’t require hardware security keys.