Apple released iOS 16.3 today with long-awaited support for hardware security keys to provide extra protection against phishing attacks and unauthorized access to your devices.
Hardware security keys are small physical devices that resemble thumb drives and support USB-C (using an adapter) or Near-field communication (NFC) to connect to a Mac or iPhone.
These devices can be used as the additional verification step when using two-factor authentication for Apple IDs rather than the regular six-digit verification code shown on devices.
As security keys are meant to be stored in a keychain or wallet and must be in the presence of a device to authenticate a login, it provides greater protection against threat actors trying to log into your account remotely.
For example, threat actors commonly create phishing attacks that steal Apple ID credentials and the one-time passcodes sent via 2FA verifications.
However, once an Apple ID is configured with a security key, even if an advanced phishing attack can steal your credentials, the remote threat actor cannot log in as they don’t have access to your hardware security key.
Setting up a security key on your iPhone
To use a security key with iOS, Apple requires you to have two keys — one carried with you, and another stored at home or in the office as a spare if you lose one.
To set up security key authentication on an iPhone, go to Settings > Click your name > Password & Security > and then select Add Security Key.
You will then be prompted to ensure you have both security keys ready and to add the first one by holding the gold NFC section of your security to the top of your phone.
Once the security key is selected, you will be prompted to link the second security key.
After both are linked, you will be prompted to review the list of devices your Apple ID is currently logged in with and whether you wish to log them out.
When the setup process is completed, any time you need to access your Apple ID, whether for installing apps, making a purchase, or logging in on another device, you will need to press your security key to the top of your phone to complete two-factor authentication.
BleepingComputer has confirmed that the feature works with the YubiKey 5 NFC, YubiKey 5C NFC, and Google Titan.
Apple says that the YubiKey 5Ci and FEITAN ePass K9 NFC security keys are also known to be compatible.
If you no longer wish to use a security key, return to the Security Keys setting and click Remove All Security Keys. Once your security keys are removed, you will automatically revert to the six-digit verification codes.
You can review Apple’s support article on this feature for further information about using security keys with Apple iOS.