With the release of iOS 16.3 and macOS 13.2 Ventura, Apple added Apple ID security keys, providing a more robust way to protect your Apple Account and everything associated with your Apple Account.
A security key is a physical device that works with two-factor authentication. Instead of using a code generated by a secondary Apple device for authentication, when you sign in to your Apple ID on another device after setting up security keys, you must authenticate via a physical key actually connected to your device.
You can use any FIDO-certified security key to enable the feature, and Apple recommends the YubiKey 5C NFC and YubiKey 5Ci, two devices sold by Yubico. Yubico sent me a pair of their security keys so I could try them out with Apple’s security key feature.
The YubiKey 5Ci has a USB-C connector and a Lightning connector so it can be plugged into iPhones, iPads, Macs and other devices that use these connectors, while the YubiKey 5C NFC has a USB-C connector and the ability to interface with NFC-enabled devices.
With Apple eliminating the Lightning port from the iPhone this year and because I don’t own any device without NFC, I went with the YubiKey 5C NFC for future-proofing, but if you plan on getting an iPhone or iPad with a Lightning port for an extended period of time, the 5Ci might be the best option if you want to use security keys.
Passkeys can be configured on iPhone, iPad, or Mac. Note that whichever security key product you choose, you must have two, not one. Apple requires duplicate security keys for redundancy, and Yubico also recommends a pair. The reason is that if you lose your physical security key, if you don’t have another one somewhere safe, you will lose access to your Apple ID. You are going to want to store the security keys in two separate locations.
On an iOS device or Mac, security keys can be enabled through the Password & Security section of the Settings app. Before you can add a passkey, you must sign out of all inactive devices, including devices that you haven’t used in the last 90 days. Older devices do not support security keys at all.
I had to go through this process, and I want to note that it didn’t quite work properly (not the YubiKey’s fault). Apple’s process signed me out of unsupported devices or devices I hadn’t signed in to, but the security key setup was not progressing. I switched to Mac to continue and had better luck.
The setup process required me to connect the security key, which I did using USB-C, and then had to press the key for the Mac to recognize it. Apple asked me to give it a name and then repeat the process to add the second security key.
After that, I was asked to review my list of active devices and choose to log out of one of them. There was an option to stay connected to everything, that’s what I chose. After the setup process, Apple asked me to store the keys separately and in a safe place, and specified that I may add additional keys in the future.
There’s also a single line at the bottom of the setup screen that clearly states that Apple has no way to help access an account linked to a security key if both keys are lost, a warning that should probably be in bolder text. Apple sends an email regarding the security key setup process, and in Mac and iOS settings I can view my connected security keys and delete them.
When I try to sign in to my Apple ID on a device on Mac, I’m prompted to insert and activate one of my security keys. This process requires inserting the key into a USB-C port and pressing it to activate. I receive notifications on all my devices when a connection attempt is made.
On an iPhone, the sign-in process is similar, but the YubiKey must be held near the iPhone’s NFC reader (at the top of the device) and turned on for authentication. In general, it’s a straightforward process on every Mac, iPhone, and iPad I’ve tested it with. All of my devices are running iOS 16.3 or later or macOS Ventura 13.2 or later, and they all support USB-C or NFC. On devices that aren’t updated or don’t support USB-C/NFC, the process may not be as seamless and may require adapters.
My main concern when activating security keys is that I will lose one. YubiKeys and other security keys are small, discreet and easy to lose because they are designed to be kept secret and hidden. The YubiKey has a hole in the top for a key fob, so I’m going to add a key fob to the one that will stay in a safe place on my desk, and the second one will go somewhere more secure.
Two-factor authentication with a physical security key is more secure than authentication with a digital code, according to Apple, but it’s a bit more risky. I can’t track my YubiKeys if they’re lost, but I can find all of my secondary Apple devices if I lose one and need it for a code. That said, the authentication process is super simple, and it’s even faster than getting a passcode from another Apple device.
The YubiKeys don’t need recharging and seem to be durable so far based on anecdotal reports from YubiKey users, which is good because I’m also worried about breaking one. Ultimately, I think I can add a third key to my account just for another layer of protection, since I’m unlikely to lose or break three at once. There is an IP68 water resistance rating, allowing it to withstand immersion in liquid and it has a storage temperature of -4°F to 185°F.
You won’t need an app to use a YubiKey for some services (like with an Apple ID or Twitter), but for others the Yubico Authenticator will need to be installed. The Yubico Authenticator is like Google Authenticator or Authy, generating a code that uses the YubiKey.
I couldn’t set up the YubiKey with Instagram because Instagram’s authentication process and the Yubico app just wouldn’t work. The app would not recognize the key, so be aware that there may be some troubleshooting involved. There are limitations with the YubiKey in terms of supported accounts. It can store up to 25 FIDO2 credentials for passwordless logins, two OTP credentials, 32 OATH credentials for one-time passwords (when paired with Yubico Authenticator), and an unlimited number of U2F identifiers. If you have more than 32 accounts for which you need one-time passwords, the YubiKey might not be the best solution because it only works with 32 logins.
In addition to an Apple ID, the YubiKey works with other websites and services with two-factor authentication. Google, Microsoft, 1Password, LastPass, Facebook, Twitter, Instagram, bitcoin wallets, government accounts and more are all supported.
Conclusion
If you want to better secure your Apple ID with physical authentication using the Security Keys feature, the YubiKey series is worth looking into. It offers better protection than you’ll get with digital codes, but it’s expensive and there are some limitations to be aware of if you want a general-purpose physical authenticator.
How to buy
The YubiKey 5C NFC that I used in this review is priced at $55, and it can be purchased from the Yubico website. The YubiKey 5Ci with Lightning connector and USB-C connector is priced at $75.
