iOS 16.3: overview of support for physical security keys to access your Apple account

iOS 16.3 adds a new two-factor authentication (2FA) system when you want to connect to your Apple account: security keys. This is one of the new features announced last week in the wake of iCloud’s end-to-end encryption, and it’s ushered in with the first beta of iOS 16.3.

A security key used to sign in to the Apple Developer Portal.

The security key replaces the 6-digit validation code sent to devices upon login or password reset. FIDO-certified keys are compatible with this new feature (Apple works closely with this alliance).

Security keys can be added in Apple ID > Password & Security Settings.

During setup, Apple asks for not one, but two security keys, guaranteeing you can log into your account even if you lose one. Note, in case of loss of the two keys, the manufacturer will not be able to help the unfortunate user to access his account.

Apple also specifies that any device that has not been used for more than 90 days will be automatically logged out of the account. To reconnect to these devices, you need a security key.

After saving each of the keys, it is possible to rename them. During the configuration, we are also asked to check the active devices and, if necessary, disconnect those that we do not recognize. And it is then possible to manage your keys in the settings Password and security, where you can add and remove them all. In the latter case, it’s back to square one, with the famous 6-digit code as the second authentication factor.

Apple also sends a confirmation email:

After a few tries it works perfectly. For users who have multiple Apple devices, this news will prevent them from ringing and notifications pouring from all sides when the verification code is sent by Apple, and just for that, long live security keys!

For this example, I used a Yubikey 5Ci, which combines a Lightning connector and a USB-C connector. NFC keys are also supported.
It is also possible to add and remove security keys in macOS 13.2.
The authentication request with the security key works fine in Safari (here on macOS 13.1).

Joking aside, Apple is not aiming this security feature at regular users who already enjoy a good level of security with Apple’s classic 2FA (the code sent to the devices), but for users who ” due to their public activity, face threats on their online accounts: celebrities, journalists, members of the government, etc. “.

All of this begs the question: could Apple launch its own security key? It would not be completely out of the question. After all, Google does the same with its Titan keys.


Leave a Comment