Recent searches
Search options
I’ve been getting a lot of questions about Security Keys for Apple ID. I can answer almost all of them by quoting this:
"This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government.”
~ https://www.apple.com/newsroom/2022/12/apple-advances-user-security-with-powerful-new-data-protections/
Read that again. :)
Also, opting in to using security keys with your Apple ID doesn’t impact passkeys and iCloud Keychain. Security keys and passkeys are different.
@rmondello Thinking of the Phoebe/Joey meme: “this feature is for nerds!”
(Note: as much as I think it’s cool I’m not touching it 
)
@rmondello ah, the “as someone that fancies themselves a bit of a nerd, every security feature must be justifiable to my personal circumstances as someone that never has and probably never will be subject to a targeted attack” effect.
@rmondello maybe not solely for Apple, a Security keys is also good for other services though
@rmondello The only thing that isn’t clear to me is /when/ I’ll be required to present a security key? Is it only when authenticating on a new device?
I thought I would be prompted for one when logging into https://appleid.apple.com after adding my security keys, but I was not.
I was prompted for a security key today when I logged on to appleid.apple.com. Perhaps it was because a previous session had expired.
Now that I think of it, I think I opened it in a private browsing window to see if I would be prompted for the security key.
@captainslim @rmondello I just tried it again in a private tab, and didn’t get prompted for the security key. But I am logging in from my iPad and I wonder if it’s treating it (using Face ID) as the second factor?
@barkerja Hmmm… I just tried it again from a private browsing window and got in with Face ID. Before I had to do username/password/security key.
Face ID is what I hope would happen. I think it’s doing a webauthn login using your trusted device as the authenticator, which makes sense, so I wouldn’t expect to have to use a security key. I’m not sure why I got prompted for it before.
@rmondello two questions, can a security key be used for other services, or would an Apple ID-bound key be locked to just apple? And can I provision more than 2 keys, in case I need more form factors/backups?
@Migueldeicaza @rmondello in theory the security key doesn’t “know” what it’s been connected to, does it?
@Migueldeicaza Yes, a security key can be used for as many services as it works with. And yes, you can provision >2 keys, if I’m not mistaken.
@rmondello thank you for the information!
@Migueldeicaza @rmondello here is a good explanation of how a security key can be used with an unlimited number of relying parties (websites), each of which get their own public/private keypair. The trick is that non-resident private key is either key wrapped and sent to the website for storage and layer unwrapping using the device's private key, or in the case of the Yubikey the keypair is deterministically recreated every time you authenticate for a specific website.
https://duo.com/labs/tech-notes/how-security-keys-store-credentials
@grempe @Migueldeicaza @rmondello I believe Apple, Microsoft and some others are creating discoverable credentials to better provide a password less flows. Wrapped credentials need a userID and often a password to be entered first so the RP can find the correct account to get the list of registered credentials. So there is a limit to the number of discoverable credentials that can be stored on a physical key. The number is typically more than the number of sites making discoverable credentials
@Loginllama @Migueldeicaza @rmondello
Yes, but I think this usage is still pretty rare. I've never personally encountered it. Maybe that will change for high value credentials?
But the most common FIDO2 security key use cases today rely on non-resident keys. So unlimited.
Here's a better description than I can muster. I'm no expert in this area, just interested.
https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Resident_Keys.html
@grempe @Migueldeicaza @rmondello Today most sites use non discoverable credentials today. However this started as a thread on apples use of security keys to secure iCloud accounts. That is using discoverable, Microsoft live.com is using discoverable. Discoverable is an option for GitHub accounts. Yahoo Japan is also using discoverable. The minority now but the direction Apple, Google, and Microsoft are pushing the market.
@Loginllama @Migueldeicaza @rmondello
I'd like to learn more. Have any links you can share about the details of how the sites you mentioned are utilizing security keys?
@grempe @Migueldeicaza @rmondello I think not a bad security vs convenience trade off is using Google or Apple passkeys and securing the underlying account with physical security keys to prevent that from being phished and compromising all your credentials. The target value of a iCloud account goes up if it contains both factors of a bank login. I think securing the iCloud account is worth doing for more than just people subjected to targeted attacks.
@Loginllama @Migueldeicaza @rmondello I'm personally waiting to see what @1password does with passkeys before I commit to any particular ecosystem for syncing passkeys. I'm afraid of having keys backed by multiple browser's or OS's where there are hurdles to using the passkey cross app/platform. 1p is potentially my one stop shop for usage across all. If it works how I think it will.
Your point about having a hardware key to backstop access to iCloud with passkey data added is a good one.
@grempe @Migueldeicaza @rmondello @1password Apple and Google need to make api available on mobile operating systems before 1Password being a passkey provider can be really practical. Dashlane is acting as a passkey provider on desktop by hijacking the WebAuthn API in the browser via there extension injecting code into the page DOM. That works on desktop but not mobile. I haven’t seen the 1Password beta yet.
@Loginllama @Migueldeicaza @rmondello @1password
> 1Password will bring full support for passkeys to the browser extension and desktop apps in early 2023, with mobile support to follow.
We'll know soon enough.
@grempe @Migueldeicaza @rmondello @1password I think the most practical thing at the moment depends on your phone. If Google turn on advanced protection and use a hardware key to secure your account and the same thing with Apple if you have iOS then use the authenticate with a nearby device feature in Chrome / Edge and Safari to remotely authenticate using your phone on the desktop. That is the most convenient cross platform at the moment.
@Migueldeicaza @rmondello if you enable security keys you should have at least two of them to avoid getting locked out by loosing one. You can use both your primate and backup for other services like Google, live.com and Facebook etc. However you should at some point be able to rely on the passkeys in your Apple keychain rather than using the security keys directly. Passkeys secured in the keychain by security keys is a good security solution assuming you don’t airdrop them to the wrong person.
@rmondello me pretending I am important person 
@rmondello Security keys and passkeys are different - is this moving away from “security keys are non-exportable/non-syncable/single-device/(pick-your-differentiator) passkeys” thinking?