Apple now lets you protect your Apple ID and iCloud account with Hardware Security Keys, a physical login technology that provides maximum protection against hackers, snoops and identity thieves.
Hardware security keys are small physical devices. that communicate with a USB or Lightning port or with an NFC wireless data connection when you log in to a device or account. You must have the keys to use them, so they are effective at thwarting hackers trying to access your account remotely. And because they won’t work on fake login sites, they can thwart phishing attacks that try to fool you into typing your password into a fake website.
Support for keys arrived Monday with iOS 16.3 and MacOS 13.2, and on Tuesday, Apple published details on how to use security keys with iPhones, iPads and Macs. The company requires you to set up at least two keys.
The move follows hardware security key support from other tech companies, such as Google, Microsoft, Twitter and Facebook parent Meta. The U.S. Cyber Security and Infrastructure Security Agency, or CISA, says security keys are the “gold standard” of multi-factor authentication.
Apple has been working to tighten security in recent months, with the iPhone facing breaches. NSO Group’s Pegasus Spyware. Apple’s Advanced Data Protection option Arrived in December, provides a strong encryption option for data stored and synced with iCloud. And in September, Apple added one. iPhone Lockdown Mode Including new guardrails in how your phone works to thwart outside attacks.
One big caveat, though: While hardware security keys and advanced data protection programs lock down your account better, they also mean Apple can’t help you restore access.
“This feature is designed for users who often face common threats to their online accounts due to their public profile, such as celebrities, journalists and members of the government,” Apple said in a statement. ” “This takes our two-factor authentication even further, preventing even a sophisticated attacker from getting the user’s second factor in a phishing scam.”
Industry tightens login security.
The technology is part of an industry-wide tightening of certification procedures. Thousands of data breaches have exposed the weaknesses of traditional passwords, and Hackers can now defeat common two-factor authentication technologies. such as security codes sent via text message. Another approach is called hardware security keys. Pass the keys Offers peace of mind even when it comes to serious attacks like hacker attacks. Access to LastPass users’ password manager files.
Hardware security keys have been around for years, but the Fast Identity Online (FIDO) Alliance has helped standardize the technology and integrate its use with websites and apps. A big advantage over the web is that they are linked to specific websites, for example Facebook or Twitter, so they thwart phishing attacks that try to get you to log into fake websites. They are the foundation of Google’s Advanced Protection program, even for those who want maximum security.
MacOS and iOS let you protect your iCloud account and Apple ID with hardware security keys.
Screenshot by Stephen Shankland/CNET
You need to choose the right hardware security keys for your devices. For communicating with relatively new models of both Macs and iPhones, a dongle that supports USB-C and NFC is a good option. Apple requires you to have two keys, but it’s not a bad idea to have more in case you lose them. A single key can be used to authenticate to many different devices and services, such as your Apple, Google, and Microsoft accounts.
Yubico, a leading manufacturer of hardware security keysannounced on Tuesday two new FIDO-certified YubiKey models in its security key series that are suitable for consumers. They both support NFC, but the $29 model has a USB-C connector and the $25 model has an older-style USB-A connector.
number of The number of Americans who will be victims of data breaches will increase by 42% in 2022 Compared to 2021, the Identity Theft Resource Center said in January. For some advice on online safety, check out my colleague Bree Fowler’s Tips to improve your online privacy.
Passcodes and security keys are better than passwords.
Google, Microsoft, Apple and other partners are also working to support a different FIDO authentication technology, called passkeys. Passkeys are designed to replace passwords. Overall, and they don’t require hardware security keys.
FIDO Alliance Executive Director Andrew Shikaryar said in a speech Wednesday at a conference on online identity issues that passkeys and security keys go hand in hand. That’s a big improvement over either passwords alone or passwords with login codes sent via text message or retrieved from an authentic app, he said.
“We need to make a fundamental shift in how people authenticate to something that’s inherently knowledge-based — you know, something that’s sitting on a server, something that’s in your head. is, that you enter and transmit over the network — into something that’s inherently more. Possession-based,” Hunter said of the coalition’s push to move away from passwords and login codes. I said.
With FIDO technology such as passkeys or security keys, the authentication process takes place where you are, for example with passkey biometrics or a hardware security key, so it is very difficult for a remote attacker to compromise.
