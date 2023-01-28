



Apple now lets you protect your Apple ID and iCloud account with hardware security keys. It’s a physical login technology that offers maximum protection from hackers, snoopers, and identity theft.

A hardware security key is a small physical device that communicates with a USB or Lightning port or NFC wireless data connection when you log on to your device or account. Because they require you to possess the key to use them, they effectively stop hackers from trying to access your account remotely. Even better, it prevents phishing attacks that trick you into entering your passwords on fake websites.

Support for keys began in iOS 16.3 and MacOS 13.2 on Monday, and on Tuesday Apple released details on how to use security keys on iPhones, iPads, and Macs. Your company must set at least two keys.

The move follows support for hardware security keys by other technology companies, including Google, Microsoft, Twitter, and Facebook parent company Meta. The US Cybersecurity and Infrastructure Security Agency (CISA) says security keys are the “gold standard” for multi-factor authentication.

Apple has been tackling security over the past few months after being plagued by iPhone breaches involving NSO Group’s Pegasus spyware. Apple’s Advanced Data Protection option is coming in December and offers strong encryption options for data stored and synced to iCloud. And in September, Apple added iPhone lockdown mode. This includes new guardrails for how the phone works to thwart external attacks.

However, there is a big caveat. Hardware security keys and the Advanced Data Protection program lock accounts better, but they also mean Apple can’t help you regain access.

“This feature is designed for users who face coordinated threats to their online accounts, such as celebrities, journalists and government officials, often because of their public profiles,” Apple said in a statement. “This takes our two-factor authentication a step further, making it impossible for even sophisticated attackers to obtain a user’s second factor through phishing scams.”

Industry tightens login security

The technology is part of a strengthening of certification procedures across the industry. Thousands of data breaches have exposed the weaknesses of traditional passwords. A hacker can now sabotage common two-factor authentication technologies such as security codes sent in his text messages. Another approach called hardware security keys and passkeys gives her peace of mind in the event of a serious attack, such as a hacker gaining access to her LastPass customer’s password manager files.

Hardware security keys have been around for years, but the Fast Identity Online (FIDO) Alliance has helped standardize the technology and integrate its use into websites and apps. One of the great advantages of the web is that it links you to specific websites such as Facebook and Twitter, thwarting phishing attacks that try to get you to log into fake websites. They are also the foundation of Google’s Advanced Protection Program for users who want maximum security.

On MacOS and iOS, you can protect your iCloud account and Apple ID with hardware security keys.

Screenshot by Stephen Shankland/CNET

You should choose the right hardware security key for your device. Keys that support USB-C and NFC are good choices for communicating with newer models of both Macs and iPhones. Apple requires you to have two keys, but it’s not a bad idea to have multiple keys in case you lose them. A single key can be used to authenticate different devices and services, including Apple, Google, and Microsoft accounts.

Yubico, a leading manufacturer of hardware security keys, announced Tuesday two new FIDO Certified YubiKey models in its consumer-friendly security key series. Both support NFC, but the $29 model has a USB-C connector and the $25 model has his old-style USB-A connector.

The number of Americans hit by a data breach in 2022 will increase by 42% compared to 2021, the Identity Theft Resource Center said in January. For advice on online safety, see my colleague Bree Fowler’s tips for improving her online privacy.

Passcodes and security keys are better than passwords

Google, Microsoft, Apple, and other allies are also working to support another FIDO authentication technology called Passkey. Passkeys are designed to completely replace passwords and do not require hardware security keys.

Passkeys and security keys are complementary, FIDO Alliance executive director Andrew Shikiar said in a speech at a conference on online identity on Wednesday. Passwords alone, or text he said, are both vast improvements over passwords sent in messages or combined with login codes obtained from authentication apps, he said.

“We’re moving from what’s essentially knowledge-based that people know, what’s on servers, what’s in their heads, what they type and send over networks, to what’s essentially more ownership-based. We need to fundamentally change the way people authenticate,” said Siquiar of the alliance moving away from passwords and login codes.

FIDO technologies such as passkeys and security keys make it much more difficult for remote attackers to compromise because the authentication process happens where the user is, including passkey biometrics and possession of hardware security keys. Become.

