The new iOS login technology makes it extremely difficult to hack your iCloud account

Apple now allows you to protect your Apple ID and iCloud account with hardware security keys, a physical login technology that provides maximum protection from hackers, snoopers, and identity thieves.

Hardware security keys are small physical devices when you sign in to a device or account via USB ports, Lightning ports, or NFC wireless data connections. You must have keys to use them, so they are useful in preventing hackers trying to access your account remotely. Since it does not work on fake login websites, you can prevent phishing attacks that try to trick you into typing your password into a fake website.

Support for keys arrived with iOS 16.3 and macOS 13.2 on Monday and Tuesday. Apple has released details on how to use Security Keys with iPhones, iPads, and Macs. The company requires you to set at least two keys.

The move follows major support for hardware security from other tech giants such as Google, Microsoft, Twitter and Facebook parent Meta. According to the US Cybersecurity and Infrastructure Security Agency, or CISA, security keys are the "gold standard" for multifactor authentication.

Apple, which has been plagued by iPhone breaches, has been tightening security in recent months with Pegasus Spyware from NSO Group. Apple's Advanced Data Protection option when it arrives in December offers a strong encryption option for data stored and synced with iCloud. And in September, Apple added an iPhone lock mode that includes new security rules for how your phone works to thwart outside attacks.

However, there is one big caveat: Although hardware security keys and advanced data protection software better lock down your account, they also mean that Apple can't help you regain access.

READ Microsoft Force acknowledges Horizon 4 bugs and releases the package
“This feature is designed for users who face integrated threats to their online accounts, often because of their public profile, such as celebrities, journalists and members of the government.” Apple said the current situation. "This takes our two-factor authentication even further, preventing even an advanced attacker from getting the user's second factor in a phishing scam."

The industry is tightening login security
The technology is part of a tightening of authentication measures across the industry. Thousands of data breaches have exposed the vulnerabilities of traditional passwords Hackers can now bypass common two-factor authentication techniques such as security codes sent via text message. Another method called Hardware Security Keys and Passwords provides peace of mind even in the face of severe attacks such as those received by hackers accessing LastPass clients' password manager files.

Hardware security keys have been around for years, but the Rapid Identification on the Internet (FIDO) Alliance has helped standardize the technology and integrate its use with websites and apps. A big advantage on the Internet is that it is linked to certain websites, for example, Facebook or Twitter, so it prevents phishing attacks that make you log into fake websites. They're the foundation for Google's Advanced Security program, too, for those who want maximum protection.

 

 

MacOS and iOS allow you to protect your iCloud account and Apple ID with hardware security keys.

Screenshot by Stephen Shankland/CNET
You must select the correct hardware security keys for your devices. The USB-C and NFC-enabled Switch is a good way to communicate with relatively new models of both Macs and iPhones. Apple requires that you have two keys, but it's not a good idea to have more in case you lose them. You can use a single key to authenticate different devices and services, such as Apple, Google, and Microsoft accounts.

Yubico, a leading producer of hardware security keys, announced on Tuesday two new YubiKey models that are FIDO-certified for its consumer-grade security key series. Both support NFC, but the $29 model has a USB-C connector and the $25 model has an older-style USB-A connector.

The number of Americans affected by data breaches will rise 42% in 2022 compared to 2021, the Identity Theft Resource Center said in January. For some tips on online safety, check out my colleague Bree Fowler's Tips for Improving Your Privacy Online.

Passcodes and security keys are better than passwords
Google, Microsoft, Apple, and other partners are also working to support a different FIDO authentication technology called passkeys. Passkeys are designed to replace passwords in general, hardware security keys are not required.

Passwords and security keys are complementary, FIDO Alliance Executive Director Andrew Chekyar said in a speech Wednesday at a conference on issues of online identity. He said there's a huge improvement over passwords, or passwords combined with login codes sent via text or obtained from an authenticator app.

“We need to fundamentally change how people authenticate from something that you know, that's on a server, that's in your head, that you log into the network and send — something that's inherently knowledge-based. Possession-based Shekyar said of the coalition's effort to move away from passwords and access tokens.

With FIDO technology like passkeys or security keys, the authentication process takes place wherever you have, for example, a biometric passkey or a hardware security key, which makes it very difficult for a remote attacker to hack.