iOS 16.3 Brings Support for Physical Security Keys, but They May Not Be Necessary

Soon, you'll be able to protect your iCloud login with a physical key. 

In the latest versions of iOS 16, Apple has added support for hardware security keys. These are like digital versions of actual keys—when you want to log into iCloud or your Apple ID, you must plug the key into your device to authenticate yourself. And just like in the physical world, if you lose the key, you're locked out. It's a big jump in security and a major drawback for convenience. The question, then, is it worth the hassle?

"A physical security key is the most secure type of two-factor authentication. Of course, password managers and other forms of two-factor authentication are important levels of cybersecurity support. A physical security key goes even further, adding a third layer of authentication that blocks bad actors from accessing your files, data, sensitive information, etc., if they don't have the actual, physical key," Amir Tarighat, privacy expert and CEO of cybersecurity startup Agency, told Lifewire via email.

Another Factor

In the world of passwords and security, authentication methods are often split into groups. Something you know, like a password; something you are, like a fingerprint or face scan; and something you have, like a physical key.

In the ideal movie-type scenario, say where you might want to gain access to a high-security building, you might have to key in a passcode, scan an ID card, and also scan your palm or retina. 

In practice, though, the lines here are often blurred. You might authenticate to your phone’s keychain with a Face ID scan, but then your phone just fills out your password in the website or app. And if you use a two-factor authenticator like Authy or Google Authenticator, it relies on you having access to your actual device, but sometimes these apps can be synced between several devices. 

Still, the point is, the more of these categories you have covered, the harder it is to break into any of your accounts. 

Security Key

You’ve long been able to use security keys with mobile devices as well as laptop and desktop computers. The difference here is that, coming with iOS 16.3 in 2023, you’ll be able to use one to log in to your Apple ID.

You’ll need it when you sign one of your devices into iCloud, but once that’s done, it’s done. Even if you get a new iPhone or iPad, the authentication will carry over to the new device as long as you use the device-to-device transfer process when you set it up.

Apple won’t make its own keys, though, so you’ll have to find one from a third-party seller, either a USB-C, a Lightning, or an NFC unit, depending on your needs. And, of course, if you’re serious about your security, you should thoroughly research the vendor. Otherwise, why bother?

The biggest advantage of a physical key is that it cannot be phished. No matter how sophisticated a phishing attack might be, and no matter how clever the attacker is, unless they steal the actual key from you, they cannot get in.

Security vs Hassle

So is this all worth the trouble? Probably not. If you see someone using one of these keys, it’s likely it’s some corporate thing. Their company may mandate they use a security key to access company servers, for example, because they don’t want their employees getting phished. 

"By using a physical security key, you can be sure that even if someone were to obtain your password, they would still not be able to access your account. In other words, physical security keys make it much harder for hackers to gain access to your accounts," technology writer Rick Costa told Lifewire via email.

In your case, you probably already know if you want to secure your Apple ID with a security key. Do you think a government might try to access your information via your iCloud account? Are the existing security measures not enough?

The new hardware key feature is in addition to Apple’s other recent security bumps for your iCloud account, namely Advanced Data Protection, which encrypts all almost your iCloud data on Apple servers, and means even Apple doesn’t have any access to it. When you enable it, you’re prompted to generate and write down a 28-character Recovery Key, which you should then store somewhere safe.

Or you can nominate a recovery contact who can help you regain access to your account. But where one person sees a trusted friend, a hacker sees an extra attack vector to exploit. 

In the end, the tradeoff is always the same: security or convenience. For many people, this might veer too far away from the "convenience" side, but for others, Apple’s new suite of security measures might be just the ticket.