|
| Yubico's basic YubiKey security keys cost $25 for a USB-A model and $29 for a USB-C variant. Both also allow NFC wireless communications. |
Apple now lets you safeguard your Apple ID and iCloud account with hardware security keys, a physical login mechanism that guarantees maximum protection from hackers, snoops and identity thieves.
Hardware security keys are tiny physical devices that interact with USB or Lightning ports or with NFC wireless data connections while you're signing on to a device or in to an account. You must have keys in your possession to use them, so they're good at blocking hackers attempting to get your account remotely. And since they won't function on false login pages, they may stop phishing assaults that aim to deceive you into inputting your password into a counterfeit website.
Support for the keys appeared Monday with iOS 16.3 and MacOS 13.2, and on Tuesday, Apple provided guidelines on how to utilize security keys with iPhones, iPads and Macs. The firm asks you to set up at least two keys.
The move follows hardware security key support from other digital giants, such Google, Microsoft, Twitter and Facebook parent Meta. The US Cybersecurity and Infrastructure Security Agency, or CISA, believes security keys are the "gold standard" of multifactor authentication.
Apple has been attempting to enhance security in recent months, stung by iPhone intrusions using NSO Group's Pegasus malware. Apple's Advanced Data Protection option launched in December, delivering a better encryption option to data saved and synced with iCloud. And in September, Apple released an iPhone Lockdown Mode that contains additional guardrails on how your phone functions to resist outside threats.
A huge catch, though: Although hardware security keys and the Advanced Data Protection program lock down your account better, they also mean Apple can't assist you restore access.
"This functionality is meant for individuals who, frequently owing to their public profile, face coordinated threats to their online accounts, such as celebrities, journalists, and members of government," Apple stated in a statement. "This extends our two-factor authentication even farther, preventing even a sophisticated attacker from accessing a user's second factor in a phishing scheme."
Industry strengthens login security
The technology is part of an industrywide tightening of authentication methods. Thousands of data breaches have highlighted the flaws of standard passwords, and hackers today easily circumvent basic two-factor authentication systems like security codes received by text message. Hardware security keys and another solution called passkeys give piece of mind even when it comes to significant threats like hackers getting access to LastPass users' password manager data.
Hardware security keys have been available for years, but the Fast Identity Online (FIDO) Alliance has helped standardize the technology and integrate its usage with websites and applications. One huge benefit on the web is they're tied to particular websites, for example Facebook or Twitter, so they foil phishing assaults that aim to convince you to log in to false websites. They're the cornerstone for Google's Advanced Protection Program, too, for individuals who desire ultimate security.
 |
| MacOS and iOS allow you encrypt your iCloud account and Apple ID using hardware security keys. |
You need to choose the proper hardware security keys for your devices. To interact with relatively recent versions of both Macs and iPhones, a key that supports USB-C and NFC is a suitable choice. Apple mandates you to have two keys, but it isn't a terrible idea to carry additional in case you lose them. A single key may be used to authenticate to many various devices and services, such your Apple, Google and Microsoft accounts.
Yubico, the leading producer of hardware security keys, revealed on Tuesday two new FIDO-certified YubiKey versions in its Security Key Series suitable for customers. They both support NFC, however the $29 model has a USB-C connection while the $25 model has an older type USB-A connector.
The number of Americans victimized by data breaches in 2022 climbed 42% compared with 2021, the Identity Theft Resource Center announced in January. For more guidance on internet safety, see my colleague Bree Fowler's ideas for improving your online privacy.
Passcodes and security keys better than passwords
Google, Microsoft, Apple and other friends are also trying to enable a new FIDO authentication technique, dubbed passkeys. Passkeys are supposed to replace passwords completely, and they don't need hardware security keys.
Passkeys and security keys are complimentary, FIDO Alliance Executive Director Andrew Shikiar said in a Wednesday lecture at a symposium on online identity problems. Either is a major improvement over passwords alone or passwords paired with login codes provided via text message or obtained through an authenticator app, he added.
"We need to have a fundamental shift in how people authenticate from something that's inherently knowledge-based — something you know, something that sits on a server, that's in your head, that you enter and transmit over a network — to something that's inherently more possession based," Shikiar said of the alliance's push to move away from passwords and login codes.
With the FIDO technology like passkeys or security keys, the authentication process takes place exactly where you are, for example with passkey biometrics or physical security key ownership, therefore it's more difficult for a remote attacker to breach.