I'm glad to see that they not only support, but require the use of multiple keys.
> iOS 16.3, iPadOS 16.3, or macOS Ventura 13.3, or later on all of the devices where you're signed in with your Apple ID.
and
> During set up, you're signed out of inactive devices, which are devices associated with your Apple ID that you haven't used or unlocked in more than 90 days. To sign back into these devices, update to compatible software and use a security key. If your device can't be updated to compatible software, you won't be able to sign back in.
I'm not ready to set this up, since I still use a few Big Sur and Monterey machines.
> I'm not ready to set this up, since I still use a few Big Sur and Monterey machines.
Yeah, unable to use iCloud on Windows is a big show stopper for me right now. I appreciate what Apple software we get on Windows and I've heard the Windows 11-only previews of updated Apple software are getting pretty good now. (I don't have Windows 11 so can't try them for myself.) But I'm very aware they are always going to lag a bit compared to their i-device and macOS versions. Including apparently on security support.
>I'm glad to see that they not only support, but require the use of multiple keys.
Yes, and also that they support up to 6 of them. That's a very solid number enabling a lot of decent (if basic) backup practices. A number of keys for regular use, a few put in a safe deposit box or safe or the like. Or if (as I'd assume) keys can be reused between accounts, then a family could each have a key, with all keys registered to all accounts, and then 1 or 2 in a safe spot as backup. Everyone still is protected by their password, but if they lose keys/devices then any other family member could be their live backup (and having the majority of keys constantly under control and in active use is good in terms of immediately noticing if one is lost or breaks and so on).
While I know it's definitely not Apple to add extra complexity, if anything it'd be cool if they leveraged this a bit farther even. Would be neat for example to support m of n restore, where if key/password are lost (somebody dies in an accident for example) then any 4 of 6 (or 3 of 6 or whatever) remaining keys can be used to get access. That would be a useful hedge, while not needing to offer unlimited trust to any single person (there could also be a few other safety measures like it taking a week and sending the account owner alerts in the mean time).
>During set up, you're signed out of inactive devices, which are devices associated with your Apple ID that you haven't used or unlocked in more than 90 days. To sign back into these devices, update to compatible software and use a security key. If your device can't be updated to compatible software, you won't be able to sign back in.
My only real disappointment with this is that Apple didn't implement some sort of "Purchases Only"/"iCloud Lite" functionality for old devices. I've still got an iPhone 6 and a few others because a lot of cool apps (both productivity and games) I love were dropped by iOS quite a long time ago. The devices are dedicated app runners, no communications, no syncing needed, but not having them attached to the same Apple ID means the old purchases would all be gone which kinda negates the point. And you can't transfer purchases between IDs, nor purchase now gone apps, so there isn't anyway to just setup a new one not even for money. Maybe it's possible to remove them from the iCloud side while they have WiFi disabled and then keep them offline forever? Still, kinda shitty :(. Though perhaps that's more a symptom of continued from-the-start weaknesses in the Apple ID system. Not being able to move and consolidate purchases has been a huge damn stupid thorn in people's sides almost since it became possible to start purchasing stuff with them.
I found a somewhat solution to the latter problem. If you have an Apple One Family Plan, and an empty slot, you can just create a legacy user with a new Apple ID and add it as a family member. This account will inherit all the purchases and subscriptions, but it can have a different security policy.
Am I the only one who feels lost in all those new security technologies and their various permutations, specifically understanding what's secure, how to back it up etc?
We have TOTP, 2nd factor, password managers, security keys, hardware security keys, passkeys, windows hello etc/etc..
Usernames and passwords are easy, if insecure. Type username, type password, done. Get admin to reset password if you forget. Put in password manager if one account is used by a team.
Security keys are hard. Needing a physical key around every time you have to log into something is annoying. Backups are hard, because off-site backups can't be done over the Internet. Self-service hardware tokens for services with infamously bad customer service is highly risky. Resetting an account if a key is lost or locked requires physically transferring hardware, which can be hard if someone is traveling, or can cause days of downtime. Team access is basically impossible if an account is secured with a physical key.
Authenticators are fine, except if you lose a couple of smartphones too close together, or you need a team to access one account. Password managers that let you securely store the QR code, or actually generate the key put the MFA in the same place as the rest of the credentials, which is not ideal but increasingly necessary for the same reason password managers came into existence in the first place.
Windows Hello and FaceID are actually pretty good, although fingerprint-based biometrics can be a little hit and miss. Not that a decent proportion of Windows users have Hello-compatible hardware. Interestingly, two TV shows in just the last few months (The Peripheral and, believe it or not, Mayfair Witches) have had a moment where a phone belonging to a dead or unconscious person was unlocked by showing it their face, so the shortcoming are entering public knowledge.
We can "all" agree that passwords are "bad", but we cannot agree on what to replace them with, mostly because the level of computer literacy for most solutions is much higher than just typing in a username and password. I can bang out the stuff above because, as an IT professional, I've experimented with KeePass, Windows Hello and Yubikeys in the last six months, buying my own hardware, to try to find some level of opsec that could be used by our customers. All I've done is highlight the lack of commitment to IT in general and training of all kinds in basically all of our customers.
FIDO passkeys are supposed to deal with the fiction and provisioning issues you highlight with current fido keys in consumer applications. In enterprise, the status quo is a little more acceptable because generally you have one or a pair of physical keys provisioned to your profile in an IdP that you use across all your apps, and you have a known support structure if your key and backup get lost or fail.
In the consumer realm one has to deal with a gajillion different identity authorities so replacing keys or doing recovery because you lost one is a giant pain in the ass. Supposedly passkeys is targeted at that problem.
> Authenticators are fine, except if you lose a couple of smartphones too close together, or you need a team to access one account.
When you enable TOTP with a service, you can extract the TOTP secret and do all of the above with it -- backup to storage, copy to new devices, distribute to multiple people, etc.
With all the confusion though, at least we're fortunate there aren't too many long lived "fake" secure systems out there. The IT community seems to love to expose flaws and scams very publicly, very fast. All in all I think we've made good progress in the last decade. Things can always be easier, but to some point it does become the burden of the user to understand security.
>Interestingly, two TV shows in just the last few months (The Peripheral and, believe it or not, Mayfair Witches) have had a moment where a phone belonging to a dead or unconscious person was unlocked by showing it their face, so the shortcoming are entering public knowledge.
You cannot do that with a faceid device, unless the security have been downgraded. It will check for eye activity.
Yes, handling security keys (custody) is difficult. I think the custody layer is incomplete and we also need more MPC (multi-party computation) features. For example distributing keys along multiple devices and requiring a subset of them to rebuilt it. The problem with the security approaches presented by Apple, Google, et al is that you end up with a single or two dimension of failure: it is easy to forget the key at the end of the chain (e.g. when you travel).
Let me try and explain some of the terminology (I'm not an expert either so I appreciate corrections from anyone reading).
A password manager just helps you store your passwords, and automatically inputs passwords for you. This makes it easier to use a variety of strong passwords. Also the password manager can check for a domain name match before doing its automatic input, which helps provide phishing resistance.
"2nd factor" or "multifactor" essentially just means adding on something in addition to passwords. That could be in the form of:
* TOTP = "time-based one time password". Use an authenticator app on your phone to input a 6-digit code which changes every 30 seconds or so.
* "security keys" / "hardware security keys" -- a dedicated device that allows you to authenticate, e.g. via USB or NFC. Generally considered more secure than TOTP, because the code is more than 6 digits worth of entropy, and also it forces the website requesting the code to authenticate itself before it provides the code (again, helps with phishing resistance).
I don't know anything about passkeys or Windows Hello.
As for backup, you should be able to transfer all of your TOTPs from one phone to another by scanning a QR code. For hardware security keys, you can buy multiple keys, register all of them, and keep them in different places. Then if you lose one you just use one of the others (and register a replacement to maintain redundancy).
For the TOTP, if you're worried about losing your phone, usually when you set up a TOTP you can also copy down some single-use "scratch codes" that can work as a backup if your phone breaks or something like that.
> For hardware security keys, you can buy multiple keys, register all of them, and keep them in different places. Then if you lose one you just use one of the others (and register a replacement to maintain redundancy).
Do I need to have all keys in my physical possession to register them with a new account?
I could imagine having some backup keys in different places, but if I need to collect them every time I want to register them for some new account or service, it sounds like a lot of trouble.
(And if the process is too much trouble, the result would be that: (1) I don't use the hardware keys for those accounts, which is less secure; (2) I only register my primary key that I keep nearby, which is dangerous if it would get lost or broken; or (3) my backup keys end up at the same place as the primary one, due to forgetting or being too lazy to put them back, which is also dangerous…)
I made the effort to look into security solutions for my important accounts (password only is not that!) and chose a security key solutions but the various providers have very uneven support for that - for example Apple was one notable case. Several forcing you to use phone number based solution (including banks) if you opt for secure ways but that is inadequate and risky on a whole different way for my case. Unacceptable.
It is the strong password case all over again: I took the effort to build up a layered approach seting up memorable but strong password categories for the different categories of accounts I have just to be rejected by the odd ones: you are not allowed to use that character! And sometimes: your password must be shorter! Forcing me to their ways, hugely reducing security. Not enough choice.
My family is adept at forgetting passwords and losing physical devices. Keeping track of air pods is a complete nightmare. I can't even imagine adding extra physical devices where I'd have to manage the backups and constantly purchase new ones. Having gone through the hell of dealing with recovering iCloud accounts while not having a bunch of spare Apple devices laying around, I refuse to go beyond SMS for 2FA. Yes, it's certainly less secure, but it's something I can manage and control outside of the Apple ecosystem.
It may help to understand who this feature is for:
This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government [1].
No, and I think that TOTP is sufficient for 99% of cases, but hey that hardware key really makes the difference between a geek and someone else :) plus, there seems to be a recession going on, get out and throw another 2*40 $ to yubico now! :)
I'm not, but I do crypto (as in PKI, smartcards) stuff, so let me try to explain some of the thinking behind hardware keys.
The idea of a second factor is that "something you have" is hard for an attacker to also have, however, proof of having something usually means "proof that you know some secret" and that secret itself can often be copied.
The lazy "proof you have" something is SMS auth, i.e. proof you control a phone number. However this isn't great, since in some jurisdictions ringing your mobile provider is enough to get control over that number.
TOTP then says: let's assume you have some secret seed and I also know it. If I take a hash of it (HOTP) and include some time information I have a code valid for a small window that is hard to steal. The benefit is that everywhere this secret exists you can have an authenticator. The downside is that this is rarely a separate device to your computer. You also are going to enter your code into a website... and that might not be the right website, allowing capture of the code via phishing.
The standard for legal, qualified digital signatures in the EU is to have non-extractable keys generated on hardware devices and never backed up. Why? Well, if you lose the hardware token (or it is damaged) you don't lose access to encrypted data, just the ability to sign documents. At this point you have an annoying dance to do to be issued a new token, but allowing backup of the signing key means signatures may be repudiated (because someone else could have stolen the backup).
The same goal applies to U2F / FIDO certified security keys. U2F generates a unique key-pair per authentication target and that private key never leaves the authenticator. This gives you two things: 1) a binding between your target service and your device. Phishing becomes a lot more difficult unless you can present the right challenge-response to the authenticator, and 2) an authenticator you physically need to have present, but don't need a pin or awkward copy-paste of a code to use. You aren't using this key for encryption, but for authentication, so, the backup strategy is: have multiple keys. If you lose one, you can delete that entry from respective accounts.
Password managers exist because some websites are password-only and even if not, you can't always trust they employed argon2id as a password hash. It also saves you having to remember multiple passwords. Your password database is something you will need to keep backed up.
Personally I keep printed recovery codes of really important accounts, spare registered security keys, and a disk with my password database on in a safe place.
I'm hesitant to rely on security keys after two of my Yubikey 5cs broke in the same month after ~3 years of ownership. Do we understand the lifetimes and and stability of these devices?
I think hardware security make a ton of sense for an enterprise environment, where you can go to IT and prove your identity to regain access. But, for something like Apple or Google - I'm sure the recovery process is not as easy.
For a hardware crypto wallets, people go to extremes - safety deposit boxes, fire-proof recovery phrases, etc. But, for me - losing access to my core online accounts would be more destabilizing than losing money on a hardware wallet. Yet, we don't have the ultra-reliable backup methods in place for web auth like we do for crypto wallets.
The security key here isn’t used for every login. So if you were to lose both it’s not like your account is completely disabled and all data lost. I think you can even use still use your Recovery Code.
The Security Key here primarily replaces the 2FA authentication method for adding new devices to your account.
From Apple’s own documentation:
When you use Security Keys for Apple ID, you need a trusted device or a security key to:
- Sign in with your Apple ID on a new device or on the web
- Reset your Apple ID password or unlock your Apple ID
- Add additional security keys or remove a security key
I believe if you lose both you can still add another as long as you have access to a device that’s still logged in.
The biggest hole in Apple’s security model, and one which has been documented to have been exploited many times, is people using phishing tactics to get the 6-digit 2FA code to gain iCloud access, adding a new device, then downloading the unencrypted backup from the victims primary device from iCloud. Security Keys and E2EE now make this impossible.
> A modern web browser. If you can't use your security key to sign in on the web, update your browser to the latest version or try another browser.
It doesn't seem like Firefox 108 supports this. Does anyone know if Firefox beta or nightly work to sign into iCloud with hardware security keys for 2FA?
---
Just confirmed that Firefox beta (109) doesn't support iCloud's sign in, either.
Firefox team simply has been refusing to implement the Webauthn spec for years now. It's extremely frustrating and is probably still years away as nobody seems to be actively working on it in any capacity.
That's odd, because I can sign into (on-prem) Confluence with my Yubikey (5 NFC) as the MFA via Firefox. I get a little Windows "tap your key" prompt and everything.
Firefox supports U2F. Webauthn is backwards-compatible with U2F. However as a website you can choose whether you want to actually support U2F or only FIDO2. Maybe Apple opted to not do it.
However when I look at the JS code in appleid.apple.com there does seem to be code for U2F code surprisingly.
I have tried adding my keys and macOS refused because my Mac had been activated on December 3rd last year so for security reasons I can add keys only after March 3rd. this year..
> Because this is a new device on your account, you cannot use it to add security keys until 03/04/2023. This waiting period helps protect your account.
This is awesome news! My YubiKey keeps becoming more and more useful over time, it's excellent. Yubi Authenticator giving me TOTP has been lovely (I have two keys that I always add the codes to each, one kept safe the other used regularly), and now more and more support for FIDO/U2F etc. across all my important accounts. Apple ID was one of the last hold outs, this is so good
So I’ve been thinking about this for a good long while now and I’m not really sure whether this increases the security of your account or not.
On one hand, you can’t accidentally or absent-mindedly approve a request from someone else on your phone with a YubiKey. On the other hand, with device 2FA you generally need to be present (Face or Touch).
If someone were to steal your yubikey then they’d be able to perform a step that previously you’d have needed to be there for.
I’m guessing MFA (password + presence + YubiKey) is too much of a catastrophic lockout risk to be supported.
> If someone were to steal your yubikey then they’d be able to perform a step that previously you’d have needed to be there for.
Several security keys are protected themselves with an additional factor. There are, for example, Yubikeys which are unlocked by your fingerprint: this now requires the thief to not only steal your Yubikey but also have the skills required to reproduce your fingerprint.
There are also several U2F devices protected by a PIN. The "Only key" uses one PIN to register a service (which you do once per service) and another PIN to authenticate to the service (so you cannot easily be tricked into registering instead of authenticating). The Ledger Nano U2F app is also protected by a PIN and has its own little screen so it displays the name (or the identifier) of the service you're either registering or authenticating to (and tells you if you're actually going to register or authenticate), is protected by a HSM and factory resets itself after three wrong PIN.
I'm using the later to SSH now (requires a moderately recent version of OpenSSH: latest Debian stable is sufficient for example).
If your Yubikey is configured to use a PIN, you have to unlock it to use it for this service. You can use a number tools such as this one to set a PIN:
All FIDO keys support a PIN. It’s off by default when using them as 2FA because you already insert a password, but you can turn it on. It’s also required for passkeys or generally when using security keys as single factor.
I wish people would understand that biometrics are great for identification, but not for authentification.
In the case of fingerprints, you leave them on pretty much everything you touch, meaning obtaining a copy of your fingerprint in most cases is just a question of stealing the glass you were drinking from at the bar.
It's the equivalent of leaving little notes with your password everywhere you go.
Curious, I am somewhat paranoid about leaving me keys or wallet in my jacket at a gym but if I had a security key, I'd be pretty terrified. Does having a key mean you still need a password since it's 2 factor? If you lose a key, do you need a backup master password like using auth apps?
> If you lose a key, do you need a backup master password like using auth apps?
Yes. If you only have one key enrolled and no other recovery mechanism, you're now locked out forever. That's why Apple are pushing you to have two keys as a minimum.
Readit News
> At least two FIDO® Certified
I'm glad to see that they not only support, but require the use of multiple keys.
> iOS 16.3, iPadOS 16.3, or macOS Ventura 13.3, or later on all of the devices where you're signed in with your Apple ID.
and
> During set up, you're signed out of inactive devices, which are devices associated with your Apple ID that you haven't used or unlocked in more than 90 days. To sign back into these devices, update to compatible software and use a security key. If your device can't be updated to compatible software, you won't be able to sign back in.
I'm not ready to set this up, since I still use a few Big Sur and Monterey machines.
Unless there will be a warning when adding the keys, this can lead to many support requests they will get from users who did not read this part.
Yeah, unable to use iCloud on Windows is a big show stopper for me right now. I appreciate what Apple software we get on Windows and I've heard the Windows 11-only previews of updated Apple software are getting pretty good now. (I don't have Windows 11 so can't try them for myself.) But I'm very aware they are always going to lag a bit compared to their i-device and macOS versions. Including apparently on security support.
Yes, and also that they support up to 6 of them. That's a very solid number enabling a lot of decent (if basic) backup practices. A number of keys for regular use, a few put in a safe deposit box or safe or the like. Or if (as I'd assume) keys can be reused between accounts, then a family could each have a key, with all keys registered to all accounts, and then 1 or 2 in a safe spot as backup. Everyone still is protected by their password, but if they lose keys/devices then any other family member could be their live backup (and having the majority of keys constantly under control and in active use is good in terms of immediately noticing if one is lost or breaks and so on).
While I know it's definitely not Apple to add extra complexity, if anything it'd be cool if they leveraged this a bit farther even. Would be neat for example to support m of n restore, where if key/password are lost (somebody dies in an accident for example) then any 4 of 6 (or 3 of 6 or whatever) remaining keys can be used to get access. That would be a useful hedge, while not needing to offer unlimited trust to any single person (there could also be a few other safety measures like it taking a week and sending the account owner alerts in the mean time).
>During set up, you're signed out of inactive devices, which are devices associated with your Apple ID that you haven't used or unlocked in more than 90 days. To sign back into these devices, update to compatible software and use a security key. If your device can't be updated to compatible software, you won't be able to sign back in.
My only real disappointment with this is that Apple didn't implement some sort of "Purchases Only"/"iCloud Lite" functionality for old devices. I've still got an iPhone 6 and a few others because a lot of cool apps (both productivity and games) I love were dropped by iOS quite a long time ago. The devices are dedicated app runners, no communications, no syncing needed, but not having them attached to the same Apple ID means the old purchases would all be gone which kinda negates the point. And you can't transfer purchases between IDs, nor purchase now gone apps, so there isn't anyway to just setup a new one not even for money. Maybe it's possible to remove them from the iCloud side while they have WiFi disabled and then keep them offline forever? Still, kinda shitty :(. Though perhaps that's more a symptom of continued from-the-start weaknesses in the Apple ID system. Not being able to move and consolidate purchases has been a huge damn stupid thorn in people's sides almost since it became possible to start purchasing stuff with them.
Usernames and passwords are easy, if insecure. Type username, type password, done. Get admin to reset password if you forget. Put in password manager if one account is used by a team.
Security keys are hard. Needing a physical key around every time you have to log into something is annoying. Backups are hard, because off-site backups can't be done over the Internet. Self-service hardware tokens for services with infamously bad customer service is highly risky. Resetting an account if a key is lost or locked requires physically transferring hardware, which can be hard if someone is traveling, or can cause days of downtime. Team access is basically impossible if an account is secured with a physical key.
Authenticators are fine, except if you lose a couple of smartphones too close together, or you need a team to access one account. Password managers that let you securely store the QR code, or actually generate the key put the MFA in the same place as the rest of the credentials, which is not ideal but increasingly necessary for the same reason password managers came into existence in the first place.
Windows Hello and FaceID are actually pretty good, although fingerprint-based biometrics can be a little hit and miss. Not that a decent proportion of Windows users have Hello-compatible hardware. Interestingly, two TV shows in just the last few months (The Peripheral and, believe it or not, Mayfair Witches) have had a moment where a phone belonging to a dead or unconscious person was unlocked by showing it their face, so the shortcoming are entering public knowledge.
We can "all" agree that passwords are "bad", but we cannot agree on what to replace them with, mostly because the level of computer literacy for most solutions is much higher than just typing in a username and password. I can bang out the stuff above because, as an IT professional, I've experimented with KeePass, Windows Hello and Yubikeys in the last six months, buying my own hardware, to try to find some level of opsec that could be used by our customers. All I've done is highlight the lack of commitment to IT in general and training of all kinds in basically all of our customers.
In the consumer realm one has to deal with a gajillion different identity authorities so replacing keys or doing recovery because you lost one is a giant pain in the ass. Supposedly passkeys is targeted at that problem.
https://fidoalliance.org/passkeys/
When you enable TOTP with a service, you can extract the TOTP secret and do all of the above with it -- backup to storage, copy to new devices, distribute to multiple people, etc.
You cannot do that with a faceid device, unless the security have been downgraded. It will check for eye activity.
A password manager just helps you store your passwords, and automatically inputs passwords for you. This makes it easier to use a variety of strong passwords. Also the password manager can check for a domain name match before doing its automatic input, which helps provide phishing resistance.
"2nd factor" or "multifactor" essentially just means adding on something in addition to passwords. That could be in the form of:
* TOTP = "time-based one time password". Use an authenticator app on your phone to input a 6-digit code which changes every 30 seconds or so.
* "security keys" / "hardware security keys" -- a dedicated device that allows you to authenticate, e.g. via USB or NFC. Generally considered more secure than TOTP, because the code is more than 6 digits worth of entropy, and also it forces the website requesting the code to authenticate itself before it provides the code (again, helps with phishing resistance).
I don't know anything about passkeys or Windows Hello.
As for backup, you should be able to transfer all of your TOTPs from one phone to another by scanning a QR code. For hardware security keys, you can buy multiple keys, register all of them, and keep them in different places. Then if you lose one you just use one of the others (and register a replacement to maintain redundancy).
For the TOTP, if you're worried about losing your phone, usually when you set up a TOTP you can also copy down some single-use "scratch codes" that can work as a backup if your phone breaks or something like that.
Do I need to have all keys in my physical possession to register them with a new account?
I could imagine having some backup keys in different places, but if I need to collect them every time I want to register them for some new account or service, it sounds like a lot of trouble.
(And if the process is too much trouble, the result would be that: (1) I don't use the hardware keys for those accounts, which is less secure; (2) I only register my primary key that I keep nearby, which is dangerous if it would get lost or broken; or (3) my backup keys end up at the same place as the primary one, due to forgetting or being too lazy to put them back, which is also dangerous…)
I made the effort to look into security solutions for my important accounts (password only is not that!) and chose a security key solutions but the various providers have very uneven support for that - for example Apple was one notable case. Several forcing you to use phone number based solution (including banks) if you opt for secure ways but that is inadequate and risky on a whole different way for my case. Unacceptable.
It is the strong password case all over again: I took the effort to build up a layered approach seting up memorable but strong password categories for the different categories of accounts I have just to be rejected by the odd ones: you are not allowed to use that character! And sometimes: your password must be shorter! Forcing me to their ways, hugely reducing security. Not enough choice.
This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government [1].
[1]: https://www.apple.com/newsroom/2022/12/apple-advances-user-s...
The idea of a second factor is that "something you have" is hard for an attacker to also have, however, proof of having something usually means "proof that you know some secret" and that secret itself can often be copied.
The lazy "proof you have" something is SMS auth, i.e. proof you control a phone number. However this isn't great, since in some jurisdictions ringing your mobile provider is enough to get control over that number.
TOTP then says: let's assume you have some secret seed and I also know it. If I take a hash of it (HOTP) and include some time information I have a code valid for a small window that is hard to steal. The benefit is that everywhere this secret exists you can have an authenticator. The downside is that this is rarely a separate device to your computer. You also are going to enter your code into a website... and that might not be the right website, allowing capture of the code via phishing.
The standard for legal, qualified digital signatures in the EU is to have non-extractable keys generated on hardware devices and never backed up. Why? Well, if you lose the hardware token (or it is damaged) you don't lose access to encrypted data, just the ability to sign documents. At this point you have an annoying dance to do to be issued a new token, but allowing backup of the signing key means signatures may be repudiated (because someone else could have stolen the backup).
The same goal applies to U2F / FIDO certified security keys. U2F generates a unique key-pair per authentication target and that private key never leaves the authenticator. This gives you two things: 1) a binding between your target service and your device. Phishing becomes a lot more difficult unless you can present the right challenge-response to the authenticator, and 2) an authenticator you physically need to have present, but don't need a pin or awkward copy-paste of a code to use. You aren't using this key for encryption, but for authentication, so, the backup strategy is: have multiple keys. If you lose one, you can delete that entry from respective accounts.
Password managers exist because some websites are password-only and even if not, you can't always trust they employed argon2id as a password hash. It also saves you having to remember multiple passwords. Your password database is something you will need to keep backed up.
Personally I keep printed recovery codes of really important accounts, spare registered security keys, and a disk with my password database on in a safe place.
I think hardware security make a ton of sense for an enterprise environment, where you can go to IT and prove your identity to regain access. But, for something like Apple or Google - I'm sure the recovery process is not as easy.
For a hardware crypto wallets, people go to extremes - safety deposit boxes, fire-proof recovery phrases, etc. But, for me - losing access to my core online accounts would be more destabilizing than losing money on a hardware wallet. Yet, we don't have the ultra-reliable backup methods in place for web auth like we do for crypto wallets.
The Security Key here primarily replaces the 2FA authentication method for adding new devices to your account.
From Apple’s own documentation:
When you use Security Keys for Apple ID, you need a trusted device or a security key to:
- Sign in with your Apple ID on a new device or on the web
- Reset your Apple ID password or unlock your Apple ID
- Add additional security keys or remove a security key
I believe if you lose both you can still add another as long as you have access to a device that’s still logged in.
The biggest hole in Apple’s security model, and one which has been documented to have been exploited many times, is people using phishing tactics to get the 6-digit 2FA code to gain iCloud access, adding a new device, then downloading the unencrypted backup from the victims primary device from iCloud. Security Keys and E2EE now make this impossible.
A lot of services offer one-time backup codes and connecting multiple 2FA devices. Making Yubikey a single point of failure is certainly a bad idea.
Using the A and C nanos. Helped they were permanently in machines though. No mechanical risk.
> A modern web browser. If you can't use your security key to sign in on the web, update your browser to the latest version or try another browser.
It doesn't seem like Firefox 108 supports this. Does anyone know if Firefox beta or nightly work to sign into iCloud with hardware security keys for 2FA?
---
Just confirmed that Firefox beta (109) doesn't support iCloud's sign in, either.
It only supports legacy U2F keys/mode, as far as I know, and Apple seems to require CTAP2.
However when I look at the JS code in appleid.apple.com there does seem to be code for U2F code surprisingly.
I have tried adding my keys and macOS refused because my Mac had been activated on December 3rd last year so for security reasons I can add keys only after March 3rd. this year..
> Because this is a new device on your account, you cannot use it to add security keys until 03/04/2023. This waiting period helps protect your account.
On one hand, you can’t accidentally or absent-mindedly approve a request from someone else on your phone with a YubiKey. On the other hand, with device 2FA you generally need to be present (Face or Touch).
If someone were to steal your yubikey then they’d be able to perform a step that previously you’d have needed to be there for.
I’m guessing MFA (password + presence + YubiKey) is too much of a catastrophic lockout risk to be supported.
Several security keys are protected themselves with an additional factor. There are, for example, Yubikeys which are unlocked by your fingerprint: this now requires the thief to not only steal your Yubikey but also have the skills required to reproduce your fingerprint.
There are also several U2F devices protected by a PIN. The "Only key" uses one PIN to register a service (which you do once per service) and another PIN to authenticate to the service (so you cannot easily be tricked into registering instead of authenticating). The Ledger Nano U2F app is also protected by a PIN and has its own little screen so it displays the name (or the identifier) of the service you're either registering or authenticating to (and tells you if you're actually going to register or authenticate), is protected by a HSM and factory resets itself after three wrong PIN.
I'm using the later to SSH now (requires a moderately recent version of OpenSSH: latest Debian stable is sufficient for example).
Or the thief can “steal” a couple of your fingers too and have unlimited access to your fingerprints. Oh, wait, is that just a movie thing?
https://www.yubico.com/support/download/yubikey-manager/
CTAP 2 compatible keys, e.g. FIDO 2 (certified or not). Older U2F-only keys won't support a PIN.
https://www.yubico.com/product/yubikey-c-bio/
In the case of fingerprints, you leave them on pretty much everything you touch, meaning obtaining a copy of your fingerprint in most cases is just a question of stealing the glass you were drinking from at the bar.
It's the equivalent of leaving little notes with your password everywhere you go.
Yes. If you only have one key enrolled and no other recovery mechanism, you're now locked out forever. That's why Apple are pushing you to have two keys as a minimum.
You can choose a key that has an additional factor built in, such as a fingerprint reader.
If you lose one of the keys you can authorize a new one.
If you lose both of the keys and all the Apple devices that you can log into directly, e.g. with fingerprint sensor on a Mac, then you're SOL.
Deleted Comment