X

New iOS Login Tech Makes It Super Hard to Hack Your iCloud Account

Hardware security keys are the gold standard for locking down your accounts. Like the related passkey technology, they can thwart phishing attacks, too.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science. Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
Stephen Shankland
4 min read
Yubico's YubiKey hardware security keys on a keychain

Yubico's basic YubiKey security keys cost $25 for a USB-A model and $29 for a USB-C model. Both also support NFC wireless connections.

Yubico

Apple now lets you protect your iCloud account and Apple ID with hardware security keys, a physical login method that offers maximum protection from hackers, identity thieves and snoops.

Hardware security keys are small physical devices that communicate with USB or Lightning ports or with NFC wireless data connections when you're logging in to a device or in to an account. You must have keys in your possession to use them, so they're effective at thwarting hackers trying to reach your account remotely. And because they won't work on fake login sites, they can thwart phishing attacks that try to fool you into typing your password onto a counterfeit website.

Support for the keys arrived Monday with iOS 16.3 and MacOS 13.2, and on Tuesday, Apple published details on how to use security keys with iPhones, iPads and Macs. The company requires you to set up at least two keys, but you can enroll as many as six. That's convenient if you want to keep them at home, at work, on your keychain or in other locations.

The move follows hardware security key support from other tech companies, like Google, Microsoft, Twitter and Facebook parent Meta. The US Cybersecurity and Infrastructure Security Agency, or CISA, says security keys are the "gold standard" of multifactor authentication.

Apple has been working to tighten security in recent months, stung by iPhone breaches involving NSO Group's Pegasus spyware. Apple's Advanced Data Protection option arrived in December, giving a stronger encryption option to data stored and synced with iCloud. And in September, Apple added an iPhone Lockdown Mode that includes new guardrails on how your phone works to thwart outside attacks.

A big caveat, though: Although hardware security keys and the Advanced Data Protection program lock down your account better, they also mean Apple can't help you recover access.

"This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government," Apple said in a statement. "This takes our two-factor authentication even further, preventing even an advanced attacker from obtaining a user's second factor in a phishing scam."

Industry tightens login security

The technology is part of an industrywide tightening of authentication procedures. Thousands of data breaches have shown the weaknesses of traditional passwords, and hackers now can thwart common two-factor authentication technologies like security codes sent by text message. Hardware security keys and another approach called passkeys offer peace of mind even when it comes to serious attacks like hackers gaining access to LastPass customers' password manager files.

A screenshot of the MacOS enrollment process to use hardware security keys to protect your iCloud account

MacOS and iOS let you protect your iCloud account and Apple ID with hardware security keys.

Screenshot by Stephen Shankland/CNET

Hardware security keys have been around for years, but the Fast Identity Online (FIDO) Alliance has helped standardize the technology and integrate its use with websites and apps. One big advantage on the web is they're linked to specific websites, for example Facebook or Twitter, so they thwart phishing attacks that try to get you to log in to fake websites. They're the foundation for Google's Advanced Protection Program, too, for those who want maximum security.

You need to pick the right hardware security keys for your devices. To communicate with relatively new models of both Macs and iPhones, a key that supports USB-C and NFC is a good option. Apple requires you to have two keys, but it isn't a bad idea to have more in case you lose them. A single key can be used to authenticate to many different devices and services, like your Apple, Google and Microsoft accounts.

Yubico, the top maker of hardware security keys, announced on Tuesday two new FIDO-certified YubiKey models in its Security Key Series suited for consumers. They both support NFC, but the $29 model has a USB-C connector and the $25 model has an older style USB-A connector.

The number of Americans hit by data breaches in 2022 increased 42% compared with 2021, the Identity Theft Resource Center said in January. For some advice on online safety, check my colleague Bree Fowler's tips for improving your online privacy.

Passcodes and security keys better than passwords

Google, Microsoft, Apple and other allies are also working to support a different FIDO authentication technology, called passkeys. Passkeys are designed to replace passwords altogether, and they don't require hardware security keys.

A illustration rating passkeys and hardware security keys as more secure than password-based login technology.

The FIDO Alliance rates how secure various authentication technologies are against phishing attacks that try to get you to log in to fake websites. Passwords alone or ordinary passwords combined with one-time passwords like text messages are relatively insecure, but passkeys and hardware security keys are more secure. 

FIDO alliance

Passkeys and security keys are complementary, FIDO Alliance Executive Director Andrew Shikiar said in a Wednesday speech at a conference about online identity matters. Either is a big improvement over passwords alone or passwords combined with login codes sent by text message or retrieved from an authenticator app, he said.

"We need to have a fundamental shift in how people authenticate from something that's inherently knowledge-based — something you know, something that sits on a server, that's in your head, that you enter and transmit over a network — to something that's inherently more possession based," Shikiar said of the alliance's push to move away from passwords and login codes.

With the FIDO technology like passkeys or security keys, the authentication process takes place right where you are, for example with passkey biometrics or hardware security key possession, so it's much harder for a remote attacker to compromise.