I'm glad to see that they not only support, but require the use of multiple keys.
> iOS 16.3, iPadOS 16.3, or macOS Ventura 13.3, or later on all of the devices where you're signed in with your Apple ID.
and
> During set up, you're signed out of inactive devices, which are devices associated with your Apple ID that you haven't used or unlocked in more than 90 days. To sign back into these devices, update to compatible software and use a security key. If your device can't be updated to compatible software, you won't be able to sign back in.
I'm not ready to set this up, since I still use a few Big Sur and Monterey machines.
> I'm not ready to set this up, since I still use a few Big Sur and Monterey machines.
Yeah, unable to use iCloud on Windows is a big show stopper for me right now. I appreciate what Apple software we get on Windows and I've heard the Windows 11-only previews of updated Apple software are getting pretty good now. (I don't have Windows 11 so can't try them for myself.) But I'm very aware they are always going to lag a bit compared to their i-device and macOS versions. Including apparently on security support.
>I'm glad to see that they not only support, but require the use of multiple keys.
Yes, and also that they support up to 6 of them. That's a very solid number enabling a lot of decent (if basic) backup practices. A number of keys for regular use, a few put in a safe deposit box or safe or the like. Or if (as I'd assume) keys can be reused between accounts, then a family could each have a key, with all keys registered to all accounts, and then 1 or 2 in a safe spot as backup. Everyone still is protected by their password, but if they lose keys/devices then any other family member could be their live backup (and having the majority of keys constantly under control and in active use is good in terms of immediately noticing if one is lost or breaks and so on).
While I know it's definitely not Apple to add extra complexity, if anything it'd be cool if they leveraged this a bit farther even. Would be neat for example to support m of n restore, where if key/password are lost (somebody dies in an accident for example) then any 4 of 6 (or 3 of 6 or whatever) remaining keys can be used to get access. That would be a useful hedge, while not needing to offer unlimited trust to any single person (there could also be a few other safety measures like it taking a week and sending the account owner alerts in the mean time).
>During set up, you're signed out of inactive devices, which are devices associated with your Apple ID that you haven't used or unlocked in more than 90 days. To sign back into these devices, update to compatible software and use a security key. If your device can't be updated to compatible software, you won't be able to sign back in.
My only real disappointment with this is that Apple didn't implement some sort of "Purchases Only"/"iCloud Lite" functionality for old devices. I've still got an iPhone 6 and a few others because a lot of cool apps (both productivity and games) I love were dropped by iOS quite a long time ago. The devices are dedicated app runners, no communications, no syncing needed, but not having them attached to the same Apple ID means the old purchases would all be gone which kinda negates the point. And you can't transfer purchases between IDs, nor purchase now gone apps, so there isn't anyway to just setup a new one not even for money. Maybe it's possible to remove them from the iCloud side while they have WiFi disabled and then keep them offline forever? Still, kinda shitty :(. Though perhaps that's more a symptom of continued from-the-start weaknesses in the Apple ID system. Not being able to move and consolidate purchases has been a huge damn stupid thorn in people's sides almost since it became possible to start purchasing stuff with them.
I found a somewhat solution to the latter problem. If you have an Apple One Family Plan, and an empty slot, you can just create a legacy user with a new Apple ID and add it as a family member. This account will inherit all the purchases and subscriptions, but it can have a different security policy.
Can you not just sign into the iTunes Store without signing into iCloud? They’ve always supported that for legacy users that shared a single Apple ID for all their purchases with their family.
Nope. With E2EE, and I believe with Security Keys, you must be running a supported OS on supported hardware or you can’t sign in with your Apple ID for anything.
Am I the only one who feels lost in all those new security technologies and their various permutations, specifically understanding what's secure, how to back it up etc?
We have TOTP, 2nd factor, password managers, security keys, hardware security keys, passkeys, windows hello etc/etc..
Usernames and passwords are easy, if insecure. Type username, type password, done. Get admin to reset password if you forget. Put in password manager if one account is used by a team.
Security keys are hard. Needing a physical key around every time you have to log into something is annoying. Backups are hard, because off-site backups can't be done over the Internet. Self-service hardware tokens for services with infamously bad customer service is highly risky. Resetting an account if a key is lost or locked requires physically transferring hardware, which can be hard if someone is traveling, or can cause days of downtime. Team access is basically impossible if an account is secured with a physical key.
Authenticators are fine, except if you lose a couple of smartphones too close together, or you need a team to access one account. Password managers that let you securely store the QR code, or actually generate the key put the MFA in the same place as the rest of the credentials, which is not ideal but increasingly necessary for the same reason password managers came into existence in the first place.
Windows Hello and FaceID are actually pretty good, although fingerprint-based biometrics can be a little hit and miss. Not that a decent proportion of Windows users have Hello-compatible hardware. Interestingly, two TV shows in just the last few months (The Peripheral and, believe it or not, Mayfair Witches) have had a moment where a phone belonging to a dead or unconscious person was unlocked by showing it their face, so the shortcoming are entering public knowledge.
We can "all" agree that passwords are "bad", but we cannot agree on what to replace them with, mostly because the level of computer literacy for most solutions is much higher than just typing in a username and password. I can bang out the stuff above because, as an IT professional, I've experimented with KeePass, Windows Hello and Yubikeys in the last six months, buying my own hardware, to try to find some level of opsec that could be used by our customers. All I've done is highlight the lack of commitment to IT in general and training of all kinds in basically all of our customers.
FIDO passkeys are supposed to deal with the fiction and provisioning issues you highlight with current fido keys in consumer applications. In enterprise, the status quo is a little more acceptable because generally you have one or a pair of physical keys provisioned to your profile in an IdP that you use across all your apps, and you have a known support structure if your key and backup get lost or fail.
In the consumer realm one has to deal with a gajillion different identity authorities so replacing keys or doing recovery because you lost one is a giant pain in the ass. Supposedly passkeys is targeted at that problem.
> Authenticators are fine, except if you lose a couple of smartphones too close together, or you need a team to access one account.
When you enable TOTP with a service, you can extract the TOTP secret and do all of the above with it -- backup to storage, copy to new devices, distribute to multiple people, etc.
If the service offers something other than a QR code that you did something with other than just adding into a one-way Authenticator, sure.
I have a couple of TOTPs trapped on crappy apps because I didn't care at the time and can't easily refresh them. However, now I use apps that parse the QR code and store the config in an exportable way.
As we change every damn password in our company LP account, moving it to Bitwarden at the same time, we will implement TOTP MFA wherever we can. If you screenshot the QR code and load it into the accound with the app, all the team with access can use it. It's our next best step. (Once the boss gets the new account sorted.)
With all the confusion though, at least we're fortunate there aren't too many long lived "fake" secure systems out there. The IT community seems to love to expose flaws and scams very publicly, very fast. All in all I think we've made good progress in the last decade. Things can always be easier, but to some point it does become the burden of the user to understand security.
>Interestingly, two TV shows in just the last few months (The Peripheral and, believe it or not, Mayfair Witches) have had a moment where a phone belonging to a dead or unconscious person was unlocked by showing it their face, so the shortcoming are entering public knowledge.
You cannot do that with a faceid device, unless the security have been downgraded. It will check for eye activity.
Wrong. There is a setting called "Require Attention for FaceID" that is on by default. If the user is wearing sunglasses, sometimes FaceID fails and so that might be a reason why you would turn this off. It works fine with clear glasses.
Yes, handling security keys (custody) is difficult. I think the custody layer is incomplete and we also need more MPC (multi-party computation) features. For example distributing keys along multiple devices and requiring a subset of them to rebuilt it. The problem with the security approaches presented by Apple, Google, et al is that you end up with a single or two dimension of failure: it is easy to forget the key at the end of the chain (e.g. when you travel).
Let me try and explain some of the terminology (I'm not an expert either so I appreciate corrections from anyone reading).
A password manager just helps you store your passwords, and automatically inputs passwords for you. This makes it easier to use a variety of strong passwords. Also the password manager can check for a domain name match before doing its automatic input, which helps provide phishing resistance.
"2nd factor" or "multifactor" essentially just means adding on something in addition to passwords. That could be in the form of:
* TOTP = "time-based one time password". Use an authenticator app on your phone to input a 6-digit code which changes every 30 seconds or so.
* "security keys" / "hardware security keys" -- a dedicated device that allows you to authenticate, e.g. via USB or NFC. Generally considered more secure than TOTP, because the code is more than 6 digits worth of entropy, and also it forces the website requesting the code to authenticate itself before it provides the code (again, helps with phishing resistance).
I don't know anything about passkeys or Windows Hello.
As for backup, you should be able to transfer all of your TOTPs from one phone to another by scanning a QR code. For hardware security keys, you can buy multiple keys, register all of them, and keep them in different places. Then if you lose one you just use one of the others (and register a replacement to maintain redundancy).
For the TOTP, if you're worried about losing your phone, usually when you set up a TOTP you can also copy down some single-use "scratch codes" that can work as a backup if your phone breaks or something like that.
> For hardware security keys, you can buy multiple keys, register all of them, and keep them in different places. Then if you lose one you just use one of the others (and register a replacement to maintain redundancy).
Do I need to have all keys in my physical possession to register them with a new account?
I could imagine having some backup keys in different places, but if I need to collect them every time I want to register them for some new account or service, it sounds like a lot of trouble.
(And if the process is too much trouble, the result would be that: (1) I don't use the hardware keys for those accounts, which is less secure; (2) I only register my primary key that I keep nearby, which is dangerous if it would get lost or broken; or (3) my backup keys end up at the same place as the primary one, due to forgetting or being too lazy to put them back, which is also dangerous…)
I made the effort to look into security solutions for my important accounts (password only is not that!) and chose a security key solutions but the various providers have very uneven support for that - for example Apple was one notable case. Several forcing you to use phone number based solution (including banks) if you opt for secure ways but that is inadequate and risky on a whole different way for my case. Unacceptable.
It is the strong password case all over again: I took the effort to build up a layered approach seting up memorable but strong password categories for the different categories of accounts I have just to be rejected by the odd ones: you are not allowed to use that character! And sometimes: your password must be shorter! Forcing me to their ways, hugely reducing security. Not enough choice.
My family is adept at forgetting passwords and losing physical devices. Keeping track of air pods is a complete nightmare. I can't even imagine adding extra physical devices where I'd have to manage the backups and constantly purchase new ones. Having gone through the hell of dealing with recovering iCloud accounts while not having a bunch of spare Apple devices laying around, I refuse to go beyond SMS for 2FA. Yes, it's certainly less secure, but it's something I can manage and control outside of the Apple ecosystem.
It may help to understand who this feature is for:
This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government [1].
No, and I think that TOTP is sufficient for 99% of cases, but hey that hardware key really makes the difference between a geek and someone else :) plus, there seems to be a recession going on, get out and throw another 2*40 $ to yubico now! :)
I'm not, but I do crypto (as in PKI, smartcards) stuff, so let me try to explain some of the thinking behind hardware keys.
The idea of a second factor is that "something you have" is hard for an attacker to also have, however, proof of having something usually means "proof that you know some secret" and that secret itself can often be copied.
The lazy "proof you have" something is SMS auth, i.e. proof you control a phone number. However this isn't great, since in some jurisdictions ringing your mobile provider is enough to get control over that number.
TOTP then says: let's assume you have some secret seed and I also know it. If I take a hash of it (HOTP) and include some time information I have a code valid for a small window that is hard to steal. The benefit is that everywhere this secret exists you can have an authenticator. The downside is that this is rarely a separate device to your computer. You also are going to enter your code into a website... and that might not be the right website, allowing capture of the code via phishing.
The standard for legal, qualified digital signatures in the EU is to have non-extractable keys generated on hardware devices and never backed up. Why? Well, if you lose the hardware token (or it is damaged) you don't lose access to encrypted data, just the ability to sign documents. At this point you have an annoying dance to do to be issued a new token, but allowing backup of the signing key means signatures may be repudiated (because someone else could have stolen the backup).
The same goal applies to U2F / FIDO certified security keys. U2F generates a unique key-pair per authentication target and that private key never leaves the authenticator. This gives you two things: 1) a binding between your target service and your device. Phishing becomes a lot more difficult unless you can present the right challenge-response to the authenticator, and 2) an authenticator you physically need to have present, but don't need a pin or awkward copy-paste of a code to use. You aren't using this key for encryption, but for authentication, so, the backup strategy is: have multiple keys. If you lose one, you can delete that entry from respective accounts.
Password managers exist because some websites are password-only and even if not, you can't always trust they employed argon2id as a password hash. It also saves you having to remember multiple passwords. Your password database is something you will need to keep backed up.
Personally I keep printed recovery codes of really important accounts, spare registered security keys, and a disk with my password database on in a safe place.
I'm hesitant to rely on security keys after two of my Yubikey 5cs broke in the same month after ~3 years of ownership. Do we understand the lifetimes and and stability of these devices?
I think hardware security make a ton of sense for an enterprise environment, where you can go to IT and prove your identity to regain access. But, for something like Apple or Google - I'm sure the recovery process is not as easy.
For a hardware crypto wallets, people go to extremes - safety deposit boxes, fire-proof recovery phrases, etc. But, for me - losing access to my core online accounts would be more destabilizing than losing money on a hardware wallet. Yet, we don't have the ultra-reliable backup methods in place for web auth like we do for crypto wallets.
The security key here isn’t used for every login. So if you were to lose both it’s not like your account is completely disabled and all data lost. I think you can even use still use your Recovery Code.
The Security Key here primarily replaces the 2FA authentication method for adding new devices to your account.
From Apple’s own documentation:
When you use Security Keys for Apple ID, you need a trusted device or a security key to:
- Sign in with your Apple ID on a new device or on the web
- Reset your Apple ID password or unlock your Apple ID
- Add additional security keys or remove a security key
I believe if you lose both you can still add another as long as you have access to a device that’s still logged in.
The biggest hole in Apple’s security model, and one which has been documented to have been exploited many times, is people using phishing tactics to get the 6-digit 2FA code to gain iCloud access, adding a new device, then downloading the unencrypted backup from the victims primary device from iCloud. Security Keys and E2EE now make this impossible.
> A modern web browser. If you can't use your security key to sign in on the web, update your browser to the latest version or try another browser.
It doesn't seem like Firefox 108 supports this. Does anyone know if Firefox beta or nightly work to sign into iCloud with hardware security keys for 2FA?
---
Just confirmed that Firefox beta (109) doesn't support iCloud's sign in, either.
Firefox team simply has been refusing to implement the Webauthn spec for years now. It's extremely frustrating and is probably still years away as nobody seems to be actively working on it in any capacity.
That's odd, because I can sign into (on-prem) Confluence with my Yubikey (5 NFC) as the MFA via Firefox. I get a little Windows "tap your key" prompt and everything.
Firefox supports U2F. Webauthn is backwards-compatible with U2F. However as a website you can choose whether you want to actually support U2F or only FIDO2. Maybe Apple opted to not do it.
However when I look at the JS code in appleid.apple.com there does seem to be code for U2F code surprisingly.
I have tried adding my keys and macOS refused because my Mac had been activated on December 3rd last year so for security reasons I can add keys only after March 3rd. this year..
> Because this is a new device on your account, you cannot use it to add security keys until 03/04/2023. This waiting period helps protect your account.
This is awesome news! My YubiKey keeps becoming more and more useful over time, it's excellent. Yubi Authenticator giving me TOTP has been lovely (I have two keys that I always add the codes to each, one kept safe the other used regularly), and now more and more support for FIDO/U2F etc. across all my important accounts. Apple ID was one of the last hold outs, this is so good
So I’ve been thinking about this for a good long while now and I’m not really sure whether this increases the security of your account or not.
On one hand, you can’t accidentally or absent-mindedly approve a request from someone else on your phone with a YubiKey. On the other hand, with device 2FA you generally need to be present (Face or Touch).
If someone were to steal your yubikey then they’d be able to perform a step that previously you’d have needed to be there for.
I’m guessing MFA (password + presence + YubiKey) is too much of a catastrophic lockout risk to be supported.
> If someone were to steal your yubikey then they’d be able to perform a step that previously you’d have needed to be there for.
Several security keys are protected themselves with an additional factor. There are, for example, Yubikeys which are unlocked by your fingerprint: this now requires the thief to not only steal your Yubikey but also have the skills required to reproduce your fingerprint.
There are also several U2F devices protected by a PIN. The "Only key" uses one PIN to register a service (which you do once per service) and another PIN to authenticate to the service (so you cannot easily be tricked into registering instead of authenticating). The Ledger Nano U2F app is also protected by a PIN and has its own little screen so it displays the name (or the identifier) of the service you're either registering or authenticating to (and tells you if you're actually going to register or authenticate), is protected by a HSM and factory resets itself after three wrong PIN.
I'm using the later to SSH now (requires a moderately recent version of OpenSSH: latest Debian stable is sufficient for example).
If your Yubikey is configured to use a PIN, you have to unlock it to use it for this service. You can use a number tools such as this one to set a PIN:
All FIDO keys support a PIN. It’s off by default when using them as 2FA because you already insert a password, but you can turn it on. It’s also required for passkeys or generally when using security keys as single factor.
I wish people would understand that biometrics are great for identification, but not for authentification.
In the case of fingerprints, you leave them on pretty much everything you touch, meaning obtaining a copy of your fingerprint in most cases is just a question of stealing the glass you were drinking from at the bar.
It's the equivalent of leaving little notes with your password everywhere you go.
Curious, I am somewhat paranoid about leaving me keys or wallet in my jacket at a gym but if I had a security key, I'd be pretty terrified. Does having a key mean you still need a password since it's 2 factor? If you lose a key, do you need a backup master password like using auth apps?
> If you lose a key, do you need a backup master password like using auth apps?
Yes. If you only have one key enrolled and no other recovery mechanism, you're now locked out forever. That's why Apple are pushing you to have two keys as a minimum.
I'm a bit confused by one thing, or why they don't mention it. Isn't TouchID on Macbooks already equivalent in security to a Yubikey? But this is another layer on top of that? (I guess you don't have a backup / alternate method for your MacBook touchID though, and that specific key isn't usable for other iOS devices)
I've never used TouchID, but I don't get how this could be true. You carry a Yubikey around on your key chain, so it's always in your pocket. Presumably you are not in the same room as your laptop 100% of the time.
Some of it is also hardware: there's a trust module (Apple's preferred term is Secure Enclave hardware). That bit of hardware is directly comparable to a security key like a YubiKey: it stores secrets and keys in a way designed to make them hard to physically exfiltrate.
Having something like Touch ID on a device is often an indicator that the device has a trust module (or Secure Enclave), though that isn't a guarantee. The Touch ID itself isn't generally considered a part of the trust module, but instead is often used as an ID to unlock keys in the trust module that have been locked to that biometric data.
(Same generally applies to Face ID.)
The biggest distinction between the trust module (Secure Enclave) in a modern device and a physical hardware security key is proximity. Obviously, a trust module is "right next door" inside the device itself. This has benefits (only need to carry one device) and detriments: lose the device and lose all the keys/secrets inside the trust module (protection from exfiltration includes protection from 'backups'); it's more complicated to use one device with the locked keys on another device (this is shifting somewhat today with new Bluetooth LTE-based personal area network "Passkey" standards) versus standalone hardware security keys are designed to communicate with multiple devices (often anything that supports some combination of USB or NFC); the threat models for accessing keys from a trust module if you have access to a device are different from the threat models for accessing keys from a hardware security key if you have access to only a device or only the key or sometimes even both.
There's definitely cross-over between the hardware trust module on a modern device and hardware security key, but one is a dedicated device for it and the other is part of a larger device and has different threat models.
I find the phrase "Lightning connectors work with most iPhone models." really strange as the latest incompatible iphone would be the iphone 5, is this them foreshadowing a usb-c iphone?
Pedantically, no they didn't. They said they'd comply with the law, and another way to do that would be to remove the charging port entirely. (To be clear, I do think they'll add USB-C. I am just frustrated by the press's ongoing willingness to take an ambiguous statement and turn it into an absolute certain outcome in a headline.)
If his response is "..obviously we will have to..." then I don't think it's unreasonable for the headline.
If he was asked "Is Apple going to comply with EU Law" and his response was the same then I think it leaves room for interpretation, but we're humans, not computers. He was asked a question and he provided an answer to that question and the headline reflects what a reasonable person would infer. If that's not the case then I think that speaks more to his trustworthiness than that of the articles writer.
Been waiting for this. Will be setting it up on App Store accounts soon.
The only potential problem for turning this on for my personal account is that you can't sign into iCloud using Windows, which isn't a problem in itself (I have no need to sync my photos to my gaming tower), but if it means I also can't sign into my Apple account that would be more troublesome since I like to use Apple Music from my Windows boxes occasionally.
That iCloud for Windows bit is troubling, right now it’s just photo syncing but I’m not sure if it also affected iTunes, or the upcoming Apple TV+ and Music apps. (They all use the same iTunes auth library underneath)
There's more than just photo syncing in iCloud for Windows. It's an iDevice backup sync. It can be used to sync files with any app that supports the Files app (and even some that don't but supported certain older app-specific file folders). It does some Apple Keychain syncing with Edge. It does some Contacts sync and backup. It can do some account recovery help if you don't have handy access to another iOS or macOS device but have been signed into iCloud for Windows for long enough.
> That's exclusively iTunes (or soon the Apple Devices Windows 11 app), if I remember correctly.
To my understanding: wired backups are still done in iTunes (or the new Apple Devices app), but if you want an on-premises copy of a wireless iCloud backup you'd copy it from iCloud for Windows. Though glancing at it now I don't see that option/how to do it so either my understanding is wrong or I briefly glimpsed an A/B test at some point or I'm confusing something I saw on a different device than Windows.
This is mostly good news, but would best be coupled with a promise to add security key support to iCloud for Windows. Over the long term, iCloud users shouldn't have to choose between good security, on the one hand, and keeping the cross-platform support they may already rely on and which may even justify their choice to buy a paid iCloud subscription, on the other.
Agreed. I've moved to iOS devices for my phone and tablet but am still on Windows for the foreseeable future. I might make the move to Mac with my next laptop refresh but I expect that to be at least 2 years away. I'm an iCloud subscriber but can't utilize this upgrade until then.
I wish thus would work for password prompts for macOS on machines that aren’t able to use a fingerprint sensor, like my 2020 Intel iMac. I know I should upgrade that to a new M2 Max or something (I have two M1 Max notebooks), but the GPU and 128GB of RAM I have on the iMac, not to me than the fact that it runs Docker and VMs better, really keeps me from phasing it out. But although the Apple Watch is a decent compromise, I really wish I could use my YubiKey for admin passwords or for login stuff.
One advantage is that a PIV PIN can be much shorter than a password and still be secure (because the smart card/Yubikey enforces attempt limiting in secure hardware).
If cost is a concern, you're buying the wrong keys. You can get FIDO-certified CTAP2 tokens for much less these days (even Yubico's is only about €25 apiece).
My wife’s devices would all burn as well. So now I have to ask a friend, which just feels weird. And hopefully they stick to Apple devices (my son switches back and forth).
I have an extra YubiKey and a printout of my 1Password stuff and my Apple FileVault key printed out and in a safe deposit box. I’m not paranoid about a lot of stuff, but in the event there is a catastrophic incident and all of my devices are impacted (I personally have 4 Macs, 3 iPads, two iPhones and multiple Apple Watches), the important stuff is available if my emergency contacts aren’t.
Yeah, I know that’s a downside. I try to check every 5 years or so. But there is nothing that is going to be truly fool proof, so I figure my best option is to have as many safety levers as possible and do what I can to never lose my phone.
It's more than just that. I'm not going to have a separate backup key for each online service - I'm going to have one main key and one main backup. That means the backup needs to be accessible so every time I add the main key to a login, I can add the backup too.
This rules out keeping the backup in an actually safe place, like a lockbox at a friend's, at the bank, etc. and means the safest option you have is a "fireproof" safe in the same home.
I understand the logic of requiring two keys, but why can't I have password + (security key OR single use code). This is what most services support - for something like GitHub I have an authenticator app on my phone or my YubiKey as the second factor, and can use either. That actually provides more redundancy against lost keys/devices than I have now, since if I lose all my Apple devices I'm locked out.
> but why can't I have password + (security key OR single use code)
That’s actually pretty close to what they support, except that the OPTs are only sent to your trusted Apple devices (you can’t use an arbitrary TOTP app).
> since if I lose all my Apple devices I'm locked out
They also support a 28 digit recovery key you can print out and a method for trusted contacts to help recover your account.
As others have said, Apple devices can now br passkeys, which is just a new term for WebAuthn + FIDO support. The linked article is about logging into your Apple ID, so you of course want another key for logging into that. But for other sites that support FIDO2+WebAuthn, I believe an Apple device can already function as a security key.
Or would be, if Apple devices did not routinely prompt you for your password. I find this incredibly annoying since my Apple ID uses one of those long, irregular passwords automatically generated by password managers and in the context where Apple wants your password there's no way to cut and paste it. I can use my phone with touch ID to authorize a $20k purchase but if I want to install a free app from the App Store I need my stupid password. I wonder why they do this.
I haven't had to enter my Apple ID password to install an app since I setup my phone. Just Face ID verification. Maybe you have this setting toggled? https://support.apple.com/en-us/HT204030
Or maybe Apple is just deciding to require it from you for mysterious reasons. Your IP could have a bad reputation and they're not sure if it's you. Though I think they sometimes they require the password just to keep you from forgetting it.
If they insist on this, I think it would be nice if they rigged their backend to allow me to enter the password from any of my devices. They already allow this from the Apple TV+ app on smart TVs, so the technical precedent exists within Apple.
At this time, the market is too small, and Apple can't possibly make their desired margins on them and compete with the others on the market. It's just not worth it.
> At this time, the market is too small, and Apple can't possibly make their desired margins on them and compete with the others on the market.
Disagree.
There are over 2 billion Apple devices deployed and tens of millions more get sold quarter, so market size isn't an issue.
There's no reason to believe Apple wouldn't be able to get their average margin of around 35% on a security device if they wanted to.
And what competition? The Apple branded security key would be the only one available via the online store that can be bundled with any Mac, iPad or iPhone purchase. And certainly the only one designed specifically for the Apple ecosystem.
It's just a matter of whether or not Apple can add features above and beyond what's typically available.
An easy one would be Find My integration like the AirPods Pro 2 case or the AirTag. Using Find My, the owner could periodically check (or Apple could automate it) that security key is where it's supposed to be, like a relative's house or bank deposit box.
Adding a U1 chip would allow the security key to be found if it were misplaced in a user's home… or in the event of a natural disaster like an earthquake.
And of course they could add TouchID to it, acting as a second factor so only the intended user could use it.
I'm sure I'm just scratching the surface of all the features Apple is uniquely positioned to add to a security key.
And most Apple products are made by a Taiwanese company manufacturing in mainland China based on Apple's instructions with Apple branding slapped on them (of course).
The difference is just the 'Designed in California' part, which in the case of a security key should be negligible in terms of cost outlay.
Will be interesting to see. I’m not sure they want to encourage people not already familiar with Yubikeys to use them. Impulse “hey this is cool” purchases might be a huge PITA.
That is why they require two keys. What you’re describing is indeed true, if one key gets lost or breaks and you don’t have a backup, you’re effectively locked out. That’s a feature, not a bug.
> You can register up to eight MFA devices, in any combination of the currently supported MFA types, with your root users and IAM users.
To register an MFA device
Sign in to the AWS Management Console and do the following:
For a root user, choose My Security Credentials.
For an IAM user, choose Security credentials.
For Multi-factor authentication (MFA), choose Assign MFA device.
Select the type of MFA device that you want to use and then choose Next.
——
I read the article my man. You’re still restricted to one MFA via the console on the root user. I don’t care what the page says the instructions aren’t valid.
> Hey Andrew, a small number of AWS accounts require additional configuration changes on our end before customers can take advantage of the new feature. We are currently working on making the required configuration changes and we will notify you when your account configuration is updated. For additional support, please submit a support request or reach out to your designated technical account manager.
> I do however have an unused Ledger X laying around. Does anyone knows if the Ledger X could act as a security key? Thanks in advance.
I don't have a X but I've got a S which I only use for U2F (well, webauthn now really). Chrome deprecated and now removed U2F support so moving forward it's webauthn but U2F devices are compatible with webauthn.
So yes it works. I use it to log on to several services and I use to log on using SSH.
Anyway here's a video showing how it works on a X:
Didn't work for me with the Ledger Nano X. Screen prompts for confirmation to register the key for a fraction of a second (on the Nano X), then goes back to the main screen, then back to confirmation (in a loop). I tried to confirm the "registration" screen during the brief time where it showed but wasn't successful.
Does anyone know if this works with Yubikey 4? I have a lightning to USB adapter but I can't seem to get it to work with these keys. It worked fine with A USB-C + NFC Yubikey Security key and a Google Titan key, but not Yubikey 4.
The Yubikey 4 might not be FIDO certified? Apparently Apple accepts only certified authenticators, i.e. they presumably check the attestation certificate against an allowlist that the Yubikey 4 might not be on.
Maybe they also require CTAP2 (as opposed to U2F together with the browser‘s compatibility layer)?
Probably just a lack of awareness. If you read the support page closely, Yubikey 5 is given as an example of a supported FIDO2 key, but I’d bet that the Titan works as well.
It’s kind of like how Google clearly states that you need to use Google Authenticator (tm) as 2FA for your Google account, but really any TOTP app will work.
Am I missing something, but their current 2FA approach supports TOTP doesn't it? At least for me it's OS integrated TOTP codes for 2FA with my AppleID.
Yes, for devices connected with iCloud account. But at work I use different email and each time I have to wait for text message (not to mention that they are invalidating my cookies quite often)
It would have been nice to also have the choice for some app generated OTP: it's less secure than keys but more secure than SMS, and much much easier to backup/transfer/keep/use.
Is there a way to audit the length of the key Apple’s actually using from the security keys and/or enforcement of key lengths by the hardware and/or protocol themselves?
I've only looked at the signature-side of things in web.
You can't enroll the keys through the WebUI; only use them. So enrollment is happening in the iPhone app. They use WebAuthn; an open standard for public key signatures.
You can but it’s key + pin OR password, not key + pin + password. I’ve tried a bunch of different setup configurations and can’t get it to work as a true 2FA like it should.
I did get it set up correctly at some point but an OS upgrade wiped the settings. I’ll have to try it again, but the path for setup isn’t as easy as it seems.
Yeah, this is disappointing. Especially since Windows, more broadly, has more robust smart card and security key support. And Edge/Chrome both support FIDO2/WebAuthn and there is a great iCloud password manager extension for Windows browsers (but not for non-Safari browsers on iOS)
> At least two FIDO® Certified
I'm glad to see that they not only support, but require the use of multiple keys.
> iOS 16.3, iPadOS 16.3, or macOS Ventura 13.3, or later on all of the devices where you're signed in with your Apple ID.
and
> During set up, you're signed out of inactive devices, which are devices associated with your Apple ID that you haven't used or unlocked in more than 90 days. To sign back into these devices, update to compatible software and use a security key. If your device can't be updated to compatible software, you won't be able to sign back in.
I'm not ready to set this up, since I still use a few Big Sur and Monterey machines.