194 comments

[ 4.4 ms ] story [ 243 ms ] thread
This is excellent news.

> At least two FIDO® Certified

I'm glad to see that they not only support, but require the use of multiple keys.

> iOS 16.3, iPadOS 16.3, or macOS Ventura 13.3, or later on all of the devices where you're signed in with your Apple ID.

and

> During set up, you're signed out of inactive devices, which are devices associated with your Apple ID that you haven't used or unlocked in more than 90 days. To sign back into these devices, update to compatible software and use a security key. If your device can't be updated to compatible software, you won't be able to sign back in.

I'm not ready to set this up, since I still use a few Big Sur and Monterey machines.

> If your device can't be updated to compatible software, you won't be able to sign back in.

Unless there will be a warning when adding the keys, this can lead to many support requests they will get from users who did not read this part.

They've been pretty good about this in the past, with iCloud E2EE my phone refused to let me enable it without updating all associated devices.
How has this feature been working for you. It's apparently not available in my country but I'm looking forward to trying it.
Haven't noticed any difference except the process to access iCloud on the web is a little different, overall it works great across all my devices.
It wasn't available in my country (UK) yesterday, but I just checked after updating to 16.3 and it now says I can enable it.
I haven't noticed a difference. Enabling icloud.com and giving it even temporary keys seems like quite the downside, so I didn't try that.
There was a warning when turning Advanced Data Protection. It wouldn’t let you continue until the all the devices signed into iCloud were updated.
Nice. Great to hear that it's built the way it should be!
>I'm glad to see that they not only support, but require the use of multiple keys.

Yes, and also that they support up to 6 of them. That's a very solid number enabling a lot of decent (if basic) backup practices. A number of keys for regular use, a few put in a safe deposit box or safe or the like. Or if (as I'd assume) keys can be reused between accounts, then a family could each have a key, with all keys registered to all accounts, and then 1 or 2 in a safe spot as backup. Everyone still is protected by their password, but if they lose keys/devices then any other family member could be their live backup (and having the majority of keys constantly under control and in active use is good in terms of immediately noticing if one is lost or breaks and so on).

While I know it's definitely not Apple to add extra complexity, if anything it'd be cool if they leveraged this a bit farther even. Would be neat for example to support m of n restore, where if key/password are lost (somebody dies in an accident for example) then any 4 of 6 (or 3 of 6 or whatever) remaining keys can be used to get access. That would be a useful hedge, while not needing to offer unlimited trust to any single person (there could also be a few other safety measures like it taking a week and sending the account owner alerts in the mean time).

>During set up, you're signed out of inactive devices, which are devices associated with your Apple ID that you haven't used or unlocked in more than 90 days. To sign back into these devices, update to compatible software and use a security key. If your device can't be updated to compatible software, you won't be able to sign back in.

My only real disappointment with this is that Apple didn't implement some sort of "Purchases Only"/"iCloud Lite" functionality for old devices. I've still got an iPhone 6 and a few others because a lot of cool apps (both productivity and games) I love were dropped by iOS quite a long time ago. The devices are dedicated app runners, no communications, no syncing needed, but not having them attached to the same Apple ID means the old purchases would all be gone which kinda negates the point. And you can't transfer purchases between IDs, nor purchase now gone apps, so there isn't anyway to just setup a new one not even for money. Maybe it's possible to remove them from the iCloud side while they have WiFi disabled and then keep them offline forever? Still, kinda shitty :(. Though perhaps that's more a symptom of continued from-the-start weaknesses in the Apple ID system. Not being able to move and consolidate purchases has been a huge damn stupid thorn in people's sides almost since it became possible to start purchasing stuff with them.

Any confirmation if keys can be reused between accounts?
I found a somewhat solution to the latter problem. If you have an Apple One Family Plan, and an empty slot, you can just create a legacy user with a new Apple ID and add it as a family member. This account will inherit all the purchases and subscriptions, but it can have a different security policy.
Can you not just sign into the iTunes Store without signing into iCloud? They’ve always supported that for legacy users that shared a single Apple ID for all their purchases with their family.
Nope. With E2EE, and I believe with Security Keys, you must be running a supported OS on supported hardware or you can’t sign in with your Apple ID for anything.
For some reason that says macOS Ventura 13.3 which doesn't seem to be available: 13.2 was released yesterday. But 13.2 does allow adding keys.
I really wish iOS devices had FIDO (etc) built in. I wish I could use my other iDevices as a FIDO device.
> I'm not ready to set this up, since I still use a few Big Sur and Monterey machines.

Yeah, unable to use iCloud on Windows is a big show stopper for me right now. I appreciate what Apple software we get on Windows and I've heard the Windows 11-only previews of updated Apple software are getting pretty good now. (I don't have Windows 11 so can't try them for myself.) But I'm very aware they are always going to lag a bit compared to their i-device and macOS versions. Including apparently on security support.

Been waiting for this. Will be setting it up on App Store accounts soon.

The only potential problem for turning this on for my personal account is that you can't sign into iCloud using Windows, which isn't a problem in itself (I have no need to sync my photos to my gaming tower), but if it means I also can't sign into my Apple account that would be more troublesome since I like to use Apple Music from my Windows boxes occasionally.

I’m under the impression that in a modern browser that supports FIDO, it should work fine.
That iCloud for Windows bit is troubling, right now it’s just photo syncing but I’m not sure if it also affected iTunes, or the upcoming Apple TV+ and Music apps. (They all use the same iTunes auth library underneath)
There's more than just photo syncing in iCloud for Windows. It's an iDevice backup sync. It can be used to sync files with any app that supports the Files app (and even some that don't but supported certain older app-specific file folders). It does some Apple Keychain syncing with Edge. It does some Contacts sync and backup. It can do some account recovery help if you don't have handy access to another iOS or macOS device but have been signed into iCloud for Windows for long enough.
> It's an iDevice backup sync.

That's exclusively iTunes (or soon the Apple Devices Windows 11 app), if I remember correctly.

> It can be used to sync files[...]

Right, there's also iCloud Drive.

> That's exclusively iTunes (or soon the Apple Devices Windows 11 app), if I remember correctly.

To my understanding: wired backups are still done in iTunes (or the new Apple Devices app), but if you want an on-premises copy of a wireless iCloud backup you'd copy it from iCloud for Windows. Though glancing at it now I don't see that option/how to do it so either my understanding is wrong or I briefly glimpsed an A/B test at some point or I'm confusing something I saw on a different device than Windows.

Isn’t it odd that Apple are not yet selling their own security keys?
Wouldn't be surprised if they do at some point.
For 99% of the population the existing approach i.e. verifying on another Apple device is sufficient.
Or would be, if Apple devices did not routinely prompt you for your password. I find this incredibly annoying since my Apple ID uses one of those long, irregular passwords automatically generated by password managers and in the context where Apple wants your password there's no way to cut and paste it. I can use my phone with touch ID to authorize a $20k purchase but if I want to install a free app from the App Store I need my stupid password. I wonder why they do this.
So people don't forget their password and as a liveness check.
If they insist on this, I think it would be nice if they rigged their backend to allow me to enter the password from any of my devices. They already allow this from the Apple TV+ app on smart TVs, so the technical precedent exists within Apple.
I haven't had to enter my Apple ID password to install an app since I setup my phone. Just Face ID verification. Maybe you have this setting toggled? https://support.apple.com/en-us/HT204030

Or maybe Apple is just deciding to require it from you for mysterious reasons. Your IP could have a bad reputation and they're not sure if it's you. Though I think they sometimes they require the password just to keep you from forgetting it.

My assumption has been that they want your iPhone itself to be your key.
Not really. Doesn't seem like much for Apple to add on top.

I wouldn't be surprised if Apple starts selling the keys through it's own retail channels.

Will be interesting to see. I’m not sure they want to encourage people not already familiar with Yubikeys to use them. Impulse “hey this is cool” purchases might be a huge PITA.
At this time, the market is too small, and Apple can't possibly make their desired margins on them and compete with the others on the market. It's just not worth it.
So it's weird that Google sell their own Titan security key, though their bar is lower than Apple
the Titan keys I have are white-label product made by a Chinese company called Feitian

with Google branding slapped on them (of course)

And most Apple products are made by a Taiwanese company manufacturing in mainland China based on Apple's instructions with Apple branding slapped on them (of course).

The difference is just the 'Designed in California' part, which in the case of a security key should be negligible in terms of cost outlay.

The statement was

> the Titan keys I have are white-label product made by a Chinese company called Feitian with Google branding slapped on them (of course)

”White label” implies that you can buy the same exact hardware with other branding slapped onto it from other places (https://en.wikipedia.org/wiki/White-label_product)

You can’t do that with most Apple products. Even if Apple didn’t design them themselves, you can only buy them from Apple

It’s for google cloud / enterprise customers.
> At this time, the market is too small, and Apple can't possibly make their desired margins on them and compete with the others on the market.

Disagree.

There are over 2 billion Apple devices deployed and tens of millions more get sold quarter, so market size isn't an issue.

There's no reason to believe Apple wouldn't be able to get their average margin of around 35% on a security device if they wanted to.

And what competition? The Apple branded security key would be the only one available via the online store that can be bundled with any Mac, iPad or iPhone purchase. And certainly the only one designed specifically for the Apple ecosystem.

It's just a matter of whether or not Apple can add features above and beyond what's typically available.

An easy one would be Find My integration like the AirPods Pro 2 case or the AirTag. Using Find My, the owner could periodically check (or Apple could automate it) that security key is where it's supposed to be, like a relative's house or bank deposit box.

Adding a U1 chip would allow the security key to be found if it were misplaced in a user's home… or in the event of a natural disaster like an earthquake.

And of course they could add TouchID to it, acting as a second factor so only the intended user could use it.

I'm sure I'm just scratching the surface of all the features Apple is uniquely positioned to add to a security key.

They're going with Passkeys.
As others have said, Apple devices can now br passkeys, which is just a new term for WebAuthn + FIDO support. The linked article is about logging into your Apple ID, so you of course want another key for logging into that. But for other sites that support FIDO2+WebAuthn, I believe an Apple device can already function as a security key.

Further reading:

- Apple's passkey security doc: https://support.apple.com/en-us/HT213305

- I liked this overview of Passkeys vs Yubikeys, but of course it's a bit biased: https://www.yubico.com/blog/a-yubico-faq-about-passkeys/

So I’ve been thinking about this for a good long while now and I’m not really sure whether this increases the security of your account or not.

On one hand, you can’t accidentally or absent-mindedly approve a request from someone else on your phone with a YubiKey. On the other hand, with device 2FA you generally need to be present (Face or Touch).

If someone were to steal your yubikey then they’d be able to perform a step that previously you’d have needed to be there for.

I’m guessing MFA (password + presence + YubiKey) is too much of a catastrophic lockout risk to be supported.

You could get the bio version of the Yubikey. Or some other FIDO2 key with biometrics.
> If someone were to steal your yubikey then they’d be able to perform a step that previously you’d have needed to be there for.

Several security keys are protected themselves with an additional factor. There are, for example, Yubikeys which are unlocked by your fingerprint: this now requires the thief to not only steal your Yubikey but also have the skills required to reproduce your fingerprint.

There are also several U2F devices protected by a PIN. The "Only key" uses one PIN to register a service (which you do once per service) and another PIN to authenticate to the service (so you cannot easily be tricked into registering instead of authenticating). The Ledger Nano U2F app is also protected by a PIN and has its own little screen so it displays the name (or the identifier) of the service you're either registering or authenticating to (and tells you if you're actually going to register or authenticate), is protected by a HSM and factory resets itself after three wrong PIN.

I'm using the later to SSH now (requires a moderately recent version of OpenSSH: latest Debian stable is sufficient for example).

> this now requires the thief to not only steal your Yubikey but also have the skills required to reproduce your fingerprint.

Or the thief can “steal” a couple of your fingers too and have unlimited access to your fingerprints. Oh, wait, is that just a movie thing?

All FIDO keys support a PIN. It’s off by default when using them as 2FA because you already insert a password, but you can turn it on. It’s also required for passkeys or generally when using security keys as single factor.
> All FIDO keys support a PIN

CTAP 2 compatible keys, e.g. FIDO 2 (certified or not). Older U2F-only keys won't support a PIN.

Yubico makes a key with a fingerprint sensor. And you can use a PIN.

https://www.yubico.com/product/yubikey-c-bio/

I wish people would understand that biometrics are great for identification, but not for authentification.

In the case of fingerprints, you leave them on pretty much everything you touch, meaning obtaining a copy of your fingerprint in most cases is just a question of stealing the glass you were drinking from at the bar.

It's the equivalent of leaving little notes with your password everywhere you go.

It is there for convenience, if you need something more secure you can set up pin on your key, apple uses it.
Some of the most secure fingerprint sensors check for the temperature of the finger and/or detect the pulse.
(comment deleted)
This is mostly good news, but would best be coupled with a promise to add security key support to iCloud for Windows. Over the long term, iCloud users shouldn't have to choose between good security, on the one hand, and keeping the cross-platform support they may already rely on and which may even justify their choice to buy a paid iCloud subscription, on the other.
Agreed. I've moved to iOS devices for my phone and tablet but am still on Windows for the foreseeable future. I might make the move to Mac with my next laptop refresh but I expect that to be at least 2 years away. I'm an iCloud subscriber but can't utilize this upgrade until then.
I have a single yubikey so I'm not setting up this. I do use the yubikey but keep 2FA recovery codes from most services.

I do however have an unused Ledger X laying around. Does anyone knows if the Ledger X could act as a security key? Thanks in advance.

> I do however have an unused Ledger X laying around. Does anyone knows if the Ledger X could act as a security key? Thanks in advance.

I don't have a X but I've got a S which I only use for U2F (well, webauthn now really). Chrome deprecated and now removed U2F support so moving forward it's webauthn but U2F devices are compatible with webauthn.

So yes it works. I use it to log on to several services and I use to log on using SSH.

Anyway here's a video showing how it works on a X:

https://support.ledger.com/hc/en-us/articles/115005198545-FI...

Now I don't know if it specifically work for this new AppleID "dual security keys" thing.

Unlike most WebAuthN services, Apple requires FIDO-certified keys. Are you sure the Ledger is?
Probably not, given that Apple requires a FIDO-certified key, and the Ledger almost certainly isn't.
Didn't work for me with the Ledger Nano X. Screen prompts for confirmation to register the key for a fraction of a second (on the Nano X), then goes back to the main screen, then back to confirmation (in a loop). I tried to confirm the "registration" screen during the brief time where it showed but wasn't successful.
> You can't sign in to iCloud for Windows.

Of course not

(comment deleted)
Yeah, this is disappointing. Especially since Windows, more broadly, has more robust smart card and security key support. And Edge/Chrome both support FIDO2/WebAuthn and there is a great iCloud password manager extension for Windows browsers (but not for non-Safari browsers on iOS)
What happens if you lose your Yubikey? Are there scratch codes?

It's bad enough now if your house burns down with all your iOS devices in it.

It's recommended to always have a backup key stored in a safe location for this reason.

The article actually says so:

>At least two FIDO® Certified* security keys that work with the Apple devices that you use on a regular basis.

>You must add and maintain at least two security keys. You can add up to six keys.

Ahha I missed the "at least two" part. I can get behind that no problems at all. Now all I need is a USB-C hole in my iPhone...

Edit: ok they come in NFC as well. There goes €100...

> There goes €100...

If cost is a concern, you're buying the wrong keys. You can get FIDO-certified CTAP2 tokens for much less these days (even Yubico's is only about €25 apiece).

Cost is not a concern.
You use your backup key, that you must have. Apple won’t let you use this with a single key.
And if the backup key is lost? Most safes aren’t really THAT fireproof
You can have more. But honestly if my house burned down and I lost my fire safe too, IDGAF about my Apple ID.

And if I did care that much, I’d put one off site.

It's more than just that. I'm not going to have a separate backup key for each online service - I'm going to have one main key and one main backup. That means the backup needs to be accessible so every time I add the main key to a login, I can add the backup too.

This rules out keeping the backup in an actually safe place, like a lockbox at a friend's, at the bank, etc. and means the safest option you have is a "fireproof" safe in the same home.

> It's bad enough now if your house burns down with all your iOS devices in it.

This is what recovery contacts are for.

My wife’s devices would all burn as well. So now I have to ask a friend, which just feels weird. And hopefully they stick to Apple devices (my son switches back and forth).
I have an extra YubiKey and a printout of my 1Password stuff and my Apple FileVault key printed out and in a safe deposit box. I’m not paranoid about a lot of stuff, but in the event there is a catastrophic incident and all of my devices are impacted (I personally have 4 Macs, 3 iPads, two iPhones and multiple Apple Watches), the important stuff is available if my emergency contacts aren’t.
To answer your question, though -- yes.

There is a backup key also generated that you can either print or save elsewhere. You must retype the backup key to continue.

Curious, I am somewhat paranoid about leaving me keys or wallet in my jacket at a gym but if I had a security key, I'd be pretty terrified. Does having a key mean you still need a password since it's 2 factor? If you lose a key, do you need a backup master password like using auth apps?
> If you lose a key, do you need a backup master password like using auth apps?

Yes. If you only have one key enrolled and no other recovery mechanism, you're now locked out forever. That's why Apple are pushing you to have two keys as a minimum.

(comment deleted)
When you log in to your account you have to provide your password and also use the key.

You can choose a key that has an additional factor built in, such as a fingerprint reader.

If you lose one of the keys you can authorize a new one.

If you lose both of the keys and all the Apple devices that you can log into directly, e.g. with fingerprint sensor on a Mac, then you're SOL.

Get a pouch for your water bottle that has a pocket for your keys.
Correct. Apple will prompt you to create a recovery key or assign a "Recovery contact" before you can enable support
I do wish they’d add better support for the mac with a key. I know it’s a little separate, but I’d really like to lock down my max with my yubikey(s).
Can't you sign in using the smart card part?

https://support.yubico.com/hc/en-us/articles/360016649059-Us...

You can but it’s key + pin OR password, not key + pin + password. I’ve tried a bunch of different setup configurations and can’t get it to work as a true 2FA like it should.

I did get it set up correctly at some point but an OS upgrade wiped the settings. I’ll have to try it again, but the path for setup isn’t as easy as it seems.

(comment deleted)
I wish thus would work for password prompts for macOS on machines that aren’t able to use a fingerprint sensor, like my 2020 Intel iMac. I know I should upgrade that to a new M2 Max or something (I have two M1 Max notebooks), but the GPU and 128GB of RAM I have on the iMac, not to me than the fact that it runs Docker and VMs better, really keeps me from phasing it out. But although the Apple Watch is a decent compromise, I really wish I could use my YubiKey for admin passwords or for login stuff.
You can use the PIV functionality of a yubikey to act as a smartcard, and you can log in and sudo authenticate with the yubikey and a PIN.

https://support.yubico.com/hc/en-us/articles/360016649059-Us...

Oh awesome, thanks! Not sure if this would be any faster then just typing the password, but thanks!
One advantage is that a PIV PIN can be much shorter than a password and still be secure (because the smart card/Yubikey enforces attempt limiting in secure hardware).
> What's required for Security Keys for Apple ID

> A modern web browser. If you can't use your security key to sign in on the web, update your browser to the latest version or try another browser.

It doesn't seem like Firefox 108 supports this. Does anyone know if Firefox beta or nightly work to sign into iCloud with hardware security keys for 2FA?

---

Just confirmed that Firefox beta (109) doesn't support iCloud's sign in, either.

That's odd, because I can sign into (on-prem) Confluence with my Yubikey (5 NFC) as the MFA via Firefox. I get a little Windows "tap your key" prompt and everything.
Firefox supports U2F. Webauthn is backwards-compatible with U2F. However as a website you can choose whether you want to actually support U2F or only FIDO2. Maybe Apple opted to not do it.

However when I look at the JS code in appleid.apple.com there does seem to be code for U2F code surprisingly.

Firefox on macOS unfortunately has very poor WebAuthN support, in my experience.

It only supports legacy U2F keys/mode, as far as I know, and Apple seems to require CTAP2.

Firefox team simply has been refusing to implement the Webauthn spec for years now. It's extremely frustrating and is probably still years away as nobody seems to be actively working on it in any capacity.
This is awesome news! My YubiKey keeps becoming more and more useful over time, it's excellent. Yubi Authenticator giving me TOTP has been lovely (I have two keys that I always add the codes to each, one kept safe the other used regularly), and now more and more support for FIDO/U2F etc. across all my important accounts. Apple ID was one of the last hold outs, this is so good
I find the phrase "Lightning connectors work with most iPhone models." really strange as the latest incompatible iphone would be the iphone 5, is this them foreshadowing a usb-c iphone?
> is this them foreshadowing a usb-c iPhone?

Apple confirmed that USB-C is coming to the iPhone last fall [1].

[1]: https://www.theverge.com/2022/10/26/23423977/iphone-usb-c-eu...

Pedantically, no they didn't. They said they'd comply with the law, and another way to do that would be to remove the charging port entirely. (To be clear, I do think they'll add USB-C. I am just frustrated by the press's ongoing willingness to take an ambiguous statement and turn it into an absolute certain outcome in a headline.)
He was asked directly:

"Is Apple moving to USB-C"

If his response is "..obviously we will have to..." then I don't think it's unreasonable for the headline.

If he was asked "Is Apple going to comply with EU Law" and his response was the same then I think it leaves room for interpretation, but we're humans, not computers. He was asked a question and he provided an answer to that question and the headline reflects what a reasonable person would infer. If that's not the case then I think that speaks more to his trustworthiness than that of the articles writer.

I'm hesitant to rely on security keys after two of my Yubikey 5cs broke in the same month after ~3 years of ownership. Do we understand the lifetimes and and stability of these devices?

I think hardware security make a ton of sense for an enterprise environment, where you can go to IT and prove your identity to regain access. But, for something like Apple or Google - I'm sure the recovery process is not as easy.

For a hardware crypto wallets, people go to extremes - safety deposit boxes, fire-proof recovery phrases, etc. But, for me - losing access to my core online accounts would be more destabilizing than losing money on a hardware wallet. Yet, we don't have the ultra-reliable backup methods in place for web auth like we do for crypto wallets.

The security key here isn’t used for every login. So if you were to lose both it’s not like your account is completely disabled and all data lost. I think you can even use still use your Recovery Code.

The Security Key here primarily replaces the 2FA authentication method for adding new devices to your account.

From Apple’s own documentation:

When you use Security Keys for Apple ID, you need a trusted device or a security key to:

- Sign in with your Apple ID on a new device or on the web

- Reset your Apple ID password or unlock your Apple ID

- Add additional security keys or remove a security key

I believe if you lose both you can still add another as long as you have access to a device that’s still logged in.

The biggest hole in Apple’s security model, and one which has been documented to have been exploited many times, is people using phishing tactics to get the 6-digit 2FA code to gain iCloud access, adding a new device, then downloading the unencrypted backup from the victims primary device from iCloud. Security Keys and E2EE now make this impossible.

> I'm sure the recovery process is not as easy.

A lot of services offer one-time backup codes and connecting multiple 2FA devices. Making Yubikey a single point of failure is certainly a bad idea.

I deployed 1000+ over 3+ years, and never had one break. It’s anecdata and I believe they can fail, but we never saw it once.

Using the A and C nanos. Helped they were permanently in machines though. No mechanical risk.

How did you end up recovering when your Yubikeys broke?
You usually have some kind of backup codes when you set up a second factor auth
I didn't. I smashed them with a hammer and replaced them with new ones!
Wow, that's a bit scary to hear about. Maybe have 3 and test them monthly on a rotating basis.
Am I the only one who feels lost in all those new security technologies and their various permutations, specifically understanding what's secure, how to back it up etc? We have TOTP, 2nd factor, password managers, security keys, hardware security keys, passkeys, windows hello etc/etc..
It's not just you.

Usernames and passwords are easy, if insecure. Type username, type password, done. Get admin to reset password if you forget. Put in password manager if one account is used by a team.

Security keys are hard. Needing a physical key around every time you have to log into something is annoying. Backups are hard, because off-site backups can't be done over the Internet. Self-service hardware tokens for services with infamously bad customer service is highly risky. Resetting an account if a key is lost or locked requires physically transferring hardware, which can be hard if someone is traveling, or can cause days of downtime. Team access is basically impossible if an account is secured with a physical key.

Authenticators are fine, except if you lose a couple of smartphones too close together, or you need a team to access one account. Password managers that let you securely store the QR code, or actually generate the key put the MFA in the same place as the rest of the credentials, which is not ideal but increasingly necessary for the same reason password managers came into existence in the first place.

Windows Hello and FaceID are actually pretty good, although fingerprint-based biometrics can be a little hit and miss. Not that a decent proportion of Windows users have Hello-compatible hardware. Interestingly, two TV shows in just the last few months (The Peripheral and, believe it or not, Mayfair Witches) have had a moment where a phone belonging to a dead or unconscious person was unlocked by showing it their face, so the shortcoming are entering public knowledge.

We can "all" agree that passwords are "bad", but we cannot agree on what to replace them with, mostly because the level of computer literacy for most solutions is much higher than just typing in a username and password. I can bang out the stuff above because, as an IT professional, I've experimented with KeePass, Windows Hello and Yubikeys in the last six months, buying my own hardware, to try to find some level of opsec that could be used by our customers. All I've done is highlight the lack of commitment to IT in general and training of all kinds in basically all of our customers.

> Authenticators are fine, except if you lose a couple of smartphones too close together, or you need a team to access one account.

When you enable TOTP with a service, you can extract the TOTP secret and do all of the above with it -- backup to storage, copy to new devices, distribute to multiple people, etc.

If the service offers something other than a QR code that you did something with other than just adding into a one-way Authenticator, sure.

I have a couple of TOTPs trapped on crappy apps because I didn't care at the time and can't easily refresh them. However, now I use apps that parse the QR code and store the config in an exportable way.

As we change every damn password in our company LP account, moving it to Bitwarden at the same time, we will implement TOTP MFA wherever we can. If you screenshot the QR code and load it into the accound with the app, all the team with access can use it. It's our next best step. (Once the boss gets the new account sorted.)

FIDO passkeys are supposed to deal with the fiction and provisioning issues you highlight with current fido keys in consumer applications. In enterprise, the status quo is a little more acceptable because generally you have one or a pair of physical keys provisioned to your profile in an IdP that you use across all your apps, and you have a known support structure if your key and backup get lost or fail.

In the consumer realm one has to deal with a gajillion different identity authorities so replacing keys or doing recovery because you lost one is a giant pain in the ass. Supposedly passkeys is targeted at that problem.

https://fidoalliance.org/passkeys/

With all the confusion though, at least we're fortunate there aren't too many long lived "fake" secure systems out there. The IT community seems to love to expose flaws and scams very publicly, very fast. All in all I think we've made good progress in the last decade. Things can always be easier, but to some point it does become the burden of the user to understand security.
>Interestingly, two TV shows in just the last few months (The Peripheral and, believe it or not, Mayfair Witches) have had a moment where a phone belonging to a dead or unconscious person was unlocked by showing it their face, so the shortcoming are entering public knowledge.

You cannot do that with a faceid device, unless the security have been downgraded. It will check for eye activity.

Yes, you can, if the device's owner is wearing glasses.
Do you have any references for that?

I wear glasses and it still check for activity in my face.

Wrong. There is a setting called "Require Attention for FaceID" that is on by default. If the user is wearing sunglasses, sometimes FaceID fails and so that might be a reason why you would turn this off. It works fine with clear glasses.
Yes, handling security keys (custody) is difficult. I think the custody layer is incomplete and we also need more MPC (multi-party computation) features. For example distributing keys along multiple devices and requiring a subset of them to rebuilt it. The problem with the security approaches presented by Apple, Google, et al is that you end up with a single or two dimension of failure: it is easy to forget the key at the end of the chain (e.g. when you travel).
Let me try and explain some of the terminology (I'm not an expert either so I appreciate corrections from anyone reading).

A password manager just helps you store your passwords, and automatically inputs passwords for you. This makes it easier to use a variety of strong passwords. Also the password manager can check for a domain name match before doing its automatic input, which helps provide phishing resistance.

"2nd factor" or "multifactor" essentially just means adding on something in addition to passwords. That could be in the form of:

* TOTP = "time-based one time password". Use an authenticator app on your phone to input a 6-digit code which changes every 30 seconds or so.

* "security keys" / "hardware security keys" -- a dedicated device that allows you to authenticate, e.g. via USB or NFC. Generally considered more secure than TOTP, because the code is more than 6 digits worth of entropy, and also it forces the website requesting the code to authenticate itself before it provides the code (again, helps with phishing resistance).

I don't know anything about passkeys or Windows Hello.

As for backup, you should be able to transfer all of your TOTPs from one phone to another by scanning a QR code. For hardware security keys, you can buy multiple keys, register all of them, and keep them in different places. Then if you lose one you just use one of the others (and register a replacement to maintain redundancy).

For the TOTP, if you're worried about losing your phone, usually when you set up a TOTP you can also copy down some single-use "scratch codes" that can work as a backup if your phone breaks or something like that.

> For hardware security keys, you can buy multiple keys, register all of them, and keep them in different places. Then if you lose one you just use one of the others (and register a replacement to maintain redundancy).

Do I need to have all keys in my physical possession to register them with a new account?

I could imagine having some backup keys in different places, but if I need to collect them every time I want to register them for some new account or service, it sounds like a lot of trouble.

(And if the process is too much trouble, the result would be that: (1) I don't use the hardware keys for those accounts, which is less secure; (2) I only register my primary key that I keep nearby, which is dangerous if it would get lost or broken; or (3) my backup keys end up at the same place as the primary one, due to forgetting or being too lazy to put them back, which is also dangerous…)

>Do I need to have all keys in my physical possession to register them with a new account?

Yeah I think so. Good points.

I feel more like restricted.

I made the effort to look into security solutions for my important accounts (password only is not that!) and chose a security key solutions but the various providers have very uneven support for that - for example Apple was one notable case. Several forcing you to use phone number based solution (including banks) if you opt for secure ways but that is inadequate and risky on a whole different way for my case. Unacceptable.

It is the strong password case all over again: I took the effort to build up a layered approach seting up memorable but strong password categories for the different categories of accounts I have just to be rejected by the odd ones: you are not allowed to use that character! And sometimes: your password must be shorter! Forcing me to their ways, hugely reducing security. Not enough choice.

I'm not, but I do crypto (as in PKI, smartcards) stuff, so let me try to explain some of the thinking behind hardware keys.

The idea of a second factor is that "something you have" is hard for an attacker to also have, however, proof of having something usually means "proof that you know some secret" and that secret itself can often be copied.

The lazy "proof you have" something is SMS auth, i.e. proof you control a phone number. However this isn't great, since in some jurisdictions ringing your mobile provider is enough to get control over that number.

TOTP then says: let's assume you have some secret seed and I also know it. If I take a hash of it (HOTP) and include some time information I have a code valid for a small window that is hard to steal. The benefit is that everywhere this secret exists you can have an authenticator. The downside is that this is rarely a separate device to your computer. You also are going to enter your code into a website... and that might not be the right website, allowing capture of the code via phishing.

The standard for legal, qualified digital signatures in the EU is to have non-extractable keys generated on hardware devices and never backed up. Why? Well, if you lose the hardware token (or it is damaged) you don't lose access to encrypted data, just the ability to sign documents. At this point you have an annoying dance to do to be issued a new token, but allowing backup of the signing key means signatures may be repudiated (because someone else could have stolen the backup).

The same goal applies to U2F / FIDO certified security keys. U2F generates a unique key-pair per authentication target and that private key never leaves the authenticator. This gives you two things: 1) a binding between your target service and your device. Phishing becomes a lot more difficult unless you can present the right challenge-response to the authenticator, and 2) an authenticator you physically need to have present, but don't need a pin or awkward copy-paste of a code to use. You aren't using this key for encryption, but for authentication, so, the backup strategy is: have multiple keys. If you lose one, you can delete that entry from respective accounts.

Password managers exist because some websites are password-only and even if not, you can't always trust they employed argon2id as a password hash. It also saves you having to remember multiple passwords. Your password database is something you will need to keep backed up.

Personally I keep printed recovery codes of really important accounts, spare registered security keys, and a disk with my password database on in a safe place.

My family is adept at forgetting passwords and losing physical devices. Keeping track of air pods is a complete nightmare. I can't even imagine adding extra physical devices where I'd have to manage the backups and constantly purchase new ones. Having gone through the hell of dealing with recovering iCloud accounts while not having a bunch of spare Apple devices laying around, I refuse to go beyond SMS for 2FA. Yes, it's certainly less secure, but it's something I can manage and control outside of the Apple ecosystem.
No, and I think that TOTP is sufficient for 99% of cases, but hey that hardware key really makes the difference between a geek and someone else :) plus, there seems to be a recession going on, get out and throw another 2*40 $ to yubico now! :)
Will this disable fallback to text message 2fa? Or is there another way to disable it?
The setup process requires you to generate a 28 digit recovery code and enter it to confirm.
(comment deleted)
Can anyone tell me why nobody supports the Google Titan hardware key? It seems that the only thing it works with is Google itself.

I was hopeful that the Titan would be supported with AppleID, but reading the page it doesn’t look like it.

It works fine for me on GitHub, Microsoft, AWS and many others.
Probably just a lack of awareness. If you read the support page closely, Yubikey 5 is given as an example of a supported FIDO2 key, but I’d bet that the Titan works as well.

It’s kind of like how Google clearly states that you need to use Google Authenticator (tm) as 2FA for your Google account, but really any TOTP app will work.

It's because it doesn't implement FIDO2 but only the older U2F standard. It's a bit of a dated key and I wouldn't recommend it.
I understand the logic of requiring two keys, but why can't I have password + (security key OR single use code). This is what most services support - for something like GitHub I have an authenticator app on my phone or my YubiKey as the second factor, and can use either. That actually provides more redundancy against lost keys/devices than I have now, since if I lose all my Apple devices I'm locked out.
> but why can't I have password + (security key OR single use code)

That’s actually pretty close to what they support, except that the OPTs are only sent to your trusted Apple devices (you can’t use an arbitrary TOTP app).

> since if I lose all my Apple devices I'm locked out

They also support a 28 digit recovery key you can print out and a method for trusted contacts to help recover your account.

> They also support a 28 digit recovery key you can print out and a method for trusted contacts to help recover your account.

Suggesting you shouldn't be required to have multiple keys?