Only for Geeks?

The year for all Apple users starts with a significant security feature. A feature that can increase the security of your Apple ID for unauthorized access by using hardware security keys. But is this feature user-friendly at all, or does it not have to be? Check my review of the latest Apple feature.

The basics of security - a second factor to authenticate

Before we start to philosophize about technology, we will first briefly discuss the necessity of a second factor to secure your accounts. It is well known that passwords alone do not provide sufficient protection on the Internet. Less complex and rarely changed passwords make it easy for attackers to compromise your account. It is not uncommon that databases of usernames and passwords are published cause of data breaches or hacker attacks. That’s why security specialists strongly recommend the use of a second factor (also known as multi-factor). The first factor in this context is something that you know. In this case, the username and password. Since both of these attributes can be published as part of a data breach, there is a need for an additional barrier here. Something you own. Using a one-time password, which is sent to you by SMS or e-mail, confirms the authenticity of the user and is the most common way to realize proof of authenticity. Problem solved! In theory!

The need for an extra pinch of hardware

Now using a phone as a second factor for authentication is a relatively convenient way and increases the protection grade of an account significantly. However, in recent months it has been repeatedly reported that there have been successful attacks on two-factor authentication. David Strom wrote a great article about the 5 most common attack methods to hack multi-factor authentication. Since it has become increasingly known that two-factor solutions in the form of soft tokens can no longer guarantee sufficient protection in the event of poor implementation or man-in-the-middle attacks, the use of hardware tokens is becoming more common. This form of token is used frequently in particularly sensitive areas or for highly sensitive accounts, as the risk of a successful attack is almost eliminated due to the physical existence of the hardware token.

Apple ID protected with physical security keys

With the new iOS update, Apple allows securing your Apple ID by using a physical security key. As the name suggests, this method requires a hardware token as a second factor for successful authentication. Probably the best-known third-party provider for this is Yubico. Yubico is a company that works within the FIDO Alliance to ensure compatibility between several platforms. This is also one of Apple's main requirements for using these tokens. They MUST be FIDO certified. Since Apple has always wanted to represent security and privacy, the feature is another step towards comprehensive protection of your Apple account. As the main difference between a 6-digit code and a hardware key is the physical ownership, apple clearly states on their support portal that you are responsible for the safekeeping of the physical key. And this is where the first barrier to the use of this method can arise. Digital keys (one-time passwords) generated via the app are relatively easy to handle and manage. Recovery codes and apps that store the codes in a dedicated account reduce the probability of loss. Securing a hardware token, on the other hand, requires a bit more attention. You know what it's like - you set up the feature, you're happy that it works, and since you rarely need it, you put the hardware key in a place where you're sure you'll find it again later. That's it for the theory!

Who needs the feature and what is the fallback scenario?

Now let's move on to a very relevant topic. The target group. So we have now identified that a hardware token may enable a higher level of security than software tokens. But who is going to make the effort? Large companies that want to secure the accounts of their employees? Probably not! Almost all companies (that I know of) use Office 365 with probably all the security features that Microsoft offers. So why make the effort to secure the Apple ID additionally? It should also be noted that we are talking about an enormous organizational effort when we provide hardware tokens for employees in a large company (delivery, return, behavior in case of loss, etc.) So the whole thing is probably more for geeks who do not trust the security of software keys and like to go the "hard" way. It would be interesting to know how many percent of Apple users finally use or will use this feature. Statistically, you could also ask Google directly. They have been offering the protection of Google accounts via hardware tokens for many years! There is only one last question. What should I do if I lost my hardware key?

If you lose your hardware security token that secures your Apple ID, you will need to take steps to regain access to your account. Here are the steps you can follow:

1. Go to iforgot.apple.com: If you are unable to sign in to your Apple ID using your hardware security token, go to the iforgot.apple.com page and follow the steps to reset your password.

2. Use another trusted device: If you have another trusted device, such as an iPhone, iPad, or Mac, you may be able to receive a verification code to reset your password.

3. Contact Apple Support: If you are unable to reset your password using the above methods, you can contact Apple Support for assistance. They will guide you through the process of verifying your identity and regaining access to your account.

Note: Apple recommends having a backup security method in place, such as a recovery key, in case your hardware security token is lost or damaged. This will make it easier to regain access to your account if needed.

So I secure my Apple ID with a hardware token to bypass it in case of a loss with another trusted Apple device? Let's leave that as "safe" in the room and test it in the coming weeks.

How do we remain with the new feature now? In principle, nothing bad can be said against the introduction of higher security mechanisms. Even though the target group might be very small, this feature underlines Apple's ambition to provide a highly secure ecosystem.

(The following text was generated by ChatGPT)

The use of hardware tokens for authentication on iOS can be useful, depending on the specific use case and security requirements.

Advantages of using hardware tokens on iOS include:

1. Improved security: Hardware tokens provide an additional layer of security beyond just passwords and can prevent unauthorized access to sensitive information.

2. Convenience: Hardware tokens can be used for two-factor authentication without requiring a user to enter a code or password.

3. Integration with other devices: Some hardware tokens can be integrated with other devices, such as smartwatches, to provide additional security.

However, hardware tokens may also have some limitations, such as:

1. Cost: Hardware tokens can be expensive to purchase and distribute.

2. Compatibility: Not all hardware tokens work with all iOS devices, so compatibility must be considered.

3. User adoption: Some users may find hardware tokens to be inconvenient or difficult to use, which can lead to lower adoption rates.

In conclusion, the use of hardware tokens for authentication on iOS can be useful for organizations with high security requirements, but it is important to consider the cost, compatibility, and user adoption when evaluating this option.