With the launch of iOS 16.3 and macOS 13.2 Ventura, Apple added security keys for the Apple ID, providing a more robust way to protect your Apple account and everything associated with your Apple account.
A security key is a physical device that works with two-factor authentication. Instead of using a code generated by a secondary Apple device for authentication, when you sign in to your Apple ID on another device after setting up security keys, you must authenticate via a physical key that is actually on your device connected.
You can use any FIDO-certified security key to activate the feature, and Apple recommends the YubiKey 5C NFC and the YubiKey 5Ci, two devices sold by Yubico. Yubico sent me some security keys so I could try them out with Apple’s security key feature.
The YubiKey 5Ci has a USB-C connector and a Lightning connector so it can connect to iPhones, iPads, Macs and other devices that use those connectors, while the YubiKey 5C NFC has a USB-C connector and the ability to communicate with NFC-enabled devices.
With Apple removing the Lightning port in the iPhone this year and since I don’t have devices without NFC I opted for the YubiKey 5C NFC for future proofing, but if you plan on getting an iPhone or an iPad with a Lightning port for a longer period of time, the 5Ci might be the better option if you’re interested in using security keys.
Security keys can be set on the iPhone, iPad or Mac. Keep in mind that whichever security key product you choose is a must have two, not just one. Apple requires duplicate security keys for redundancy purposes, and Yubico recommends a pair as well. The reason for this is that if you lose your physical security key and you don’t have another one in a safe place, you will lose access to your Apple ID. You want to store the security keys in two separate locations.
On an iOS device or Mac, security keys can be enabled through the Password & Security section of the Settings app. Before you can add a security key, you must sign out of all inactive devices, including devices you haven’t used in the past 90 days. Older devices do not support security keys at all.
I had to go through this process and I want to note that it didn’t work quite right (which isn’t YubiKey’s fault). Apple’s process logged me out of the unsupported devices or devices where I wasn’t logged in, but after that the installation of the security keys didn’t go through. I switched to the Mac to continue, and had better luck.
The setup process required me to plug in the security key, which I did with USB-C, and then press the key for the Mac to recognize it. Apple had me name it and then repeat the process to add the second security key.
Then I was told to view my list of active devices and choose whether to sign out of any of them. There was an option to stay logged in to everything, which I selected. After the installation process, Apple instructed me to store the keys separately and in a safe place, and clarified that I can add additional keys in the future.
There’s also a single line at the bottom of the settings screen that makes it clear that Apple has no way to access an account associated with a security key if both keys are lost, a warning that should probably be in bold text. Apple sends an email about the security key installation process and in both Mac and iOS settings I can view and delete my connected security keys.
When I try to sign in to my Apple ID on a device on the Mac, I’m instructed to insert and activate one of my security keys. This process requires inserting the key into a USB-C port and pressing it to activate it. I receive notifications on all my devices when a login attempt is made.
On an iPhone, the login process is similar, but the YubiKey must be held near the iPhone’s NFC reader (the top of the device) and activated for authentication. Overall, it’s a simple process on every Mac, iPhone and iPad I’ve tested it with. All of my devices have iOS 16.3 or later or macOS Ventura 13.2 or later, and they all support USB-C or NFC. On devices that have not been updated or do not support USB-C/NFC, the process may not be as seamless and may require adapters.
My biggest concern when activating security keys is that I’m going to lose one. YubiKeys and other security keys are small, unobtrusive and easy to lose because they are designed to remain secret and hidden. The YubiKey has an opening on the top for a keychain, so I’m going to add a keychain to one that will stay in a safe place in my office, and the second one goes to a more secure place.
Two-factor authentication with a physical security key is more secure than authentication with a digital code, according to Apple, but it is slightly riskier. I can’t track my YubiKeys if they’re lost, but I can track down all my secondary Apple devices if I lose one and need it for a code. That said, the authentication process is super easy and it’s even faster than getting a code from another Apple device.
YubiKeys don’t require charging and seem to be durable so far based on anecdotal reports from YubiKey users, which is good because I’m also worried about breaking one. In the end, I think I can add a third key to my account just for an extra layer of protection, since I’m unlikely to lose or break three at once. There is an IP68 water resistance rating so it can withstand liquid immersion, and it has a storage temperature of -4°F to 185°F.
Some services don’t require an app to use a YubiKey (such as with an Apple ID or Twitter), but others require the Yubico Authenticator to be installed. The Yubico Authenticator is like Google Authenticator or Authy and generates a code that uses the YubiKey.
I couldn’t set up the YubiKey with Instagram because the authentication process from Instagram plus the Yubico app just wouldn’t work. The app would not recognize the key so be aware that some troubleshooting may be required. There are limitations with the YubiKey in terms of supported accounts. It can store up to 25 FIDO2 credentials for passwordless logins, two OTP credentials, 32 OATH credentials for one-time passwords (when paired with the Yubico Authenticator), and an unlimited number of U2F credentials. If you have more than 32 accounts that require one-time passwords, the YubiKey may not be the best solution as it only works with 32 logins.
In addition to an Apple ID, the YubiKey works with other websites and services with two-factor authentication. Google, Microsoft, 1Password, LastPass, Facebook, Twitter, Instagram, bitcoin wallets, government accounts and many more are all supported.
It boils down
If you want to make your Apple ID more secure through physical authentication using the Security Keys feature, the YubiKey series is worth checking out. It offers better protection than digital codes, but it is expensive and there are some limitations to be aware of if you want a multifunctional physical authenticator.
How to buy
The YubiKey 5C NFC I used in this review costs $55 and can be purchased from the Yubico website. The YubiKey 5Ci with Lightning connector and USB-C connector costs $75.