How and why to use FIDO Security Keys for Apple ID

In a world that needs Apple’s recently-improved Lockdown Mode to protect good people against bad ones, high-risk individuals should consider using physical security keys to protect their Apple ID.

What are Security Keys and what do they do?

Security keys are small devices that look a little like thumb drives. Apple at WWDC 2020 confirmed plans to support FIDO authentication beginning with iOS 14 and macOS 11; now, with the release of iOS 16.3, iPadOS 16.3, and macOS Ventura 13.2, Apple lets you use them to verify your Apple ID, replacing a passcode. They become one of the two forms of identification you require with two-factor authentication (2FA).

2FA systems generally depend on two out of three factors: something you know (password), something you have (a key), and something you are (your biometric ID). The idea is that even if someone has your Apple ID and password, they would still be unable to access your account unless they also have your physical key. The key replaces the six-digit verification code you’re used to using. It means that when you attempt to login to your device you must also use the key.

No key? No access.

In theory, your information becomes far more secure. To sign in with your Apple ID on a new device or on the web, you will need both your Apple ID password and security key. (You can also use your key to access multiple devices and platforms, not just Apple’s.)

Once it’s set up, you’ll need your key whenever you add a new device to your account, login using Apple ID, reset and/or unlock your Apple ID, or add or remove a security key from your account.

What are the limitations?

There are some technical challenges: All the devices you intend to use with your Apple ID must be compatible with security keys, for example. That means they must run iOS 16.3, iPadOS 16.3, or macOS Ventura 13.2 or later. If you have older devices, you will be signed out of those and unable to sign back in until you update those operating systems.

There is also the risk that if you lose your keys, you will lose access to your account. That is why Apple’s system insists you add and maintain at least two security keys and lets you configure up to six in total. The idea is that you’ll travel with one key while leaving others safely stashed elsewhere.

Of course, the benefits are good. Most online attacks aim at millions of potential targets and only the most determined criminals will want to go to the trouble of getting hold of your hardware key. However, if you are a high-value target, you should assume that it is possible one of your keys could be compromised (and you should continue to use really strong passcodes).

Finally, child accounts and Managed Apple IDs are not supported. Nor can you sign into iCloud for Windows.

For enterprise users the costs and limitations of these systems must be balanced against the potential impact of security being compromised.

What is a FIDO Certified key and what does it do?

FIDO is a widely supported standard developed by the FIDO Alliance. The security key contains a chip that can generate a new set of encryption keys for your Apple ID and/or for sites to which you enroll the key. Because it is hardware, the keys can’t be spoofed or duplicated, so if you don’t have the key, you won’t get the access.

The keys rely on public key cryptography. When a new key is required, a public and private key is created. The private key never leaves your device, but the public key can be shared. That public key lets systems you use encrypt anything they want to share with you; it  can then only be accessed with the private key, which is kept on your hardware key.

Which keys should I use?

Many companies now make these keys. Yubico pioneered the tech and has a huge variety of keys available and an extensive list of different compatible keys is available at the FIDO Alliance website.

Apple requires you have at least two hardware keys, but they don’t need to be made by the same manufacturer. Apple suggests the YubiKey 5C NFC, YubiKey 5Ci, and Feitan ePass K9 NFC USB-A

Expect to pay up to $60 for each key — just make sure to choose one with a connector that works with your Apple devices. Keys that support both NFC and USB-C are the best choice for most of us.

What you need to set up a FIDO key

• Apple devices running iOS 16.3, iPadOS 16.3, or macOS Ventura 13.2 or later.
• At least two (up to six) FIDO Certified security keys that are compatible with your devices. These can connect wirelessly using NFC, or physically using Lightning or USB.
• 2FA setup for your Apple ID.
• A current web browser.
• Apple warns that once you set up security keys, you’ll need a compatible iPhone or iPad in order to sign into Apple Watch, Apple TV, or HomePod in future.

How to set up a FIDO Key

During setup, you will be automatically signed out of any devices associated with your Apple ID that haven’t been used/unlocked in the last three months (90 days). You’ll need those devices to be running compatible OS versions and your hardware key to get back into them again. You can use a Mac, iPad, or iPhone to set your keys up.

• Find and open the Password & Security section under your name in Settings/System Settings.
• Look for the Security Keys section, where you tap Set up (iOS) or Add (Mac).
• You’ll be guided through the process.
• Once it is complete, you’ll be asked to review all the devices associated with your Apple ID and decide if you want to stay signed into all of them.

How to stop using the key

To stop using the keys open Password & Security again and tap Remove All Security Keys. Once you do so, your Apple ID will revert to six-digit verification.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.