Security Keys for Apple ID
Apple introduced two-factor authentication for Apple ID in 2015. Today, with more than 95 percent of active iCloud accounts using this protection, it is the most widely used two-factor account security system in the world that we’re aware of. Now with Security Keys, users will have the choice to make use of third-party hardware security keys to enhance this protection. This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government. For users who opt in, Security Keys strengthens Apple’s two-factor authentication by requiring a hardware security key as one of the two factors. This takes our two-factor authentication even further, preventing even an advanced attacker from obtaining a user’s second factor in a phishing scam.
Apple (via Maxwell Swadling):
A recovery key is a randomly generated 28-character code that you can use to help reset your password or regain access to your Apple ID. While it’s not required, using a recovery key improves the security of your account by putting you in control of resetting your password. Creating a recovery key turns off account recovery. Account recovery is a process that would otherwise help you get back into your Apple ID account when you don’t have enough information to reset your password
Previously:
2 Comments RSS · Twitter
Notice the other part of the announcement, which is that iMessage will be changing next year to give you the final key management seal you need for E2E iMessage. This is great news.
And Yubikey--I just got four of them for the price of one, from Cloudflare Zero Trust, if that offer is still open. Great stuff. I look forward to integrating them into my life.
So requesting a recovery key will disable the phone SMS based recovery flow that is ridiculously easy for a hacker to circumvent (e.g. using SIM swapping due to the gross negligence and incompetence of Telco customer service reps, or outright corruption of phone-shop employees)? That's a win in my book. I've also never trusted Apple's proprietary 2FA implementation as opposed to Yubikeys or other standard U2F keys.