Protecting Apple ID accounts with physical security keys coming with iOS 16.3

A physical security key replaces two-factor verification codes for authorizing access to your Apple ID account via iPhone, iPad, Mac and the web.

USB-based physical security key from YubiKey next to MacBook and iPhone
Yubico’s USB-based YubiKey physical security key
  • What’s happening? Apple is bringing support for physical security keys for Apple ID accounts via FIDO-certified dongles such as Yubico’s YubiKey.
  • Why care? The new Security Keys feature adds another layer of security to your Apple ID, which contains your personal information and settings and is key to everything you do on Apple devices.
  • What to do? Check out physical security keys available on Amazon before Apple launches iOS 16.3 in early 2023 (late February or early March).

iOS 16.3 brings the Security Keys feature for Apple IDs

The new Security Keys feature was spotted in the first betas of iOS 16.2, iPadOS 16.2 and macOS Ventura 13.2. To use this feature, you’ll need a FIDO-certified physical security key like the YubiKey accessories from Yubico.

Of course, other dongles are supported as long as they’re FIDO-certified.

When set up, a physical dongle will authorize attempts to use Apple ID without having to input any verification codes. This makes your Apple ID much more secure, especially against phishing attacks that attempt to fool you into inputting your credentials for unauthorized account access.

The benefits of physical security keys

According to Apple, the Security Keys feature provides these benefits:

Strongest account security
Physical security keys provide strong protection against phishing and unauthorized access to your account.

Repalces verification codes
A physical security key replaces verification codes sent to your devices when signing in or resetting your password.

Physical security keys have another advantages over standard two-factor authentication: Access to your Apple ID is guaranteed even if all your trusted devices used to generate verification codes are lost or bricked.

It’s unclear whether Security Keys deactivates the SMS fallback option for Apple ID two-factor authentication, which is still a concern despite growing eSIM usage.

How the Security Keys feature works

Physical security keys come in USB, NFC and Lightning flavors

With Security Keys turned in Settings → [your_name] → Password & Security → Security Keys → Add Security Keys, you’ll be able to quickly authenticate an attempt to log into your Apple ID from a new device by inserting a compatible dongle into your iPhone’s Lightning port or holding a wireless security key near the device.

Doing so will instantly authorize access without having to input a one-time security code generated by your favorite authenticator app, such as Authy.

Having a physical security key strengthens the security of your online accounts, even more so than two-factor authentication, because it requires that a physical key be present when signing into an account.

For your own security, Apple won’t let you turn on the Security Keys option from a new device you just authorized with your Apple ID for a couple of weeks. “This waiting period helps protect your account,” reads Apple’s prompt.

Security Keys and Advanced Data Protection

Support for physical security keys ties in perfectly with Advanced Data Protection for iCloud, which is among the new security initiatives from Apple.

With it turned on in your iCloud settings from a device powered by iOS 16.2, iPadOS 16.2 or macOS Ventura 13.1, end-to-end encryption will be enforced for almost all iCloud data categories, including your iPhone backups stored in iCloud.

Advanced Data Protection downloads encryption keys from iCloud to your device, storing them in the Secure Enclave cryptographic coprocessor. A combination of iOS 16.3’s Security Keys feature and iOS 16.2’s Advanced Data Protection makes both Apple devices and iCloud data significantly much more secure.

Security keys in Safari

Apple has made smaller changes in past years to prepare for the Security Keys launch. In December 2019, it brought support for NFC, USB and Lightning security keys that adhere to the FIDO2 standard via the iOS 13.3 update.

Soon after, a company called Yubico released a physical dongle for secure authentication in iOS, iPadOS and macOS, dubbed YubiKey. This has allowed Apple fans to authenticate access to web services like accounts with a physical security key for the first time ever.

This is an industry-wide effort with backing from other players, including Microsoft and Google. Google Accounts on iOS devices, for instance, can be protected further with physical security keys thanks to Google’s Advanced Protection Program.

The iOS and Android apps from Facebook also support hardware security keys. You can configure two-factor authentication access via physical security keys by venturing into the Security and Login section of the Facebook app.