A new iPhone update can read physical security keys

iOS 16.3, available on January 23, will add support for physical security keys to iPhones and iPads. The purpose of this new authentication method is to secure user accounts.

The beginning of the year is all about security at Apple. On January 18, the Cupertino company made three announcements in this area to reaffirm its desire to keep its promises in terms of privacy. Statements that are part of a number of other communications with the development of “Extreme Protection” mode or increased iCloud screening. (At the same time, Apple also announced new products like the MacBook Pro, Mac mini, and HomePod 2.)

Apple unlocks physical security keys for Apple ID

iOS 16.3, which will be released on January 23rd (probably that Monday, early evening), will bring something new to iPhones and iPads. With this update, it will be possible to use “security keys” (an approach that has been around for years) to sign in to your Apple ID account. This key is converted into a physical object to increase the resistance of two-factor authentication – also called two-factor authentication. The idea is to avoid the SMS code and replace it with a physical item that cannot be accessed remotely.

Connection with a physical security key. // Source: Apple

Apple has implemented two-factor authentication since 2015 and is used by 95% of active iCloud accounts. However, until now, two-factor authentication did not allow the use of a hardware asset. Apple sees this as a way to make attacks against accounts more difficult to succeed (such as phishing) because physical access to this material is required. In fact, the attack surface is reduced even more.

Here, Apple intends to take advantage of the existing ecosystem by allowing the use of third-party hardware security keys (and why not Google’s Titan security key?). An Apple representative at Numerama stated that these switches may vary in their operation. For example, it is possible to use the keys using biometric verification (in this case, pressing it to read the fingerprint).

Yubikey USB key can be used as an authentication factor // Source: Yubikey
Example of a security key connected to a laptop. // Source: Yubikey

One question remains: who is this type of device for? Everyone suggests Apple. However, it is designed with more open profiles in mind, such as journalists, government members or celebrities. These profiles can be further targeted, including certain attackers who are highly active.

iMessage is also getting a security update

Another post of the day: “checking ignition keys for iMessage”. This feature verifies the validity of a connection with another person using iMessage by comparing the connection’s verification codes, for example on FaceTime or another secure calling service.

This kind of functionality is also available in other messaging services: WhatsApp also has a security code verification tool like Signal. For these two platforms, such as iMessage, a check can be performed when you are in the same location as the contact to verify code compatibility. But here too, Apple mainly targets the riskiest profiles.

iCloud end-to-end encryption

Finally, Apple has returned to the much-hyped announcement: end-to-end encryption of nearly everything stored in iCloud, Apple’s sync and hosting service. This change was introduced in early December, but is currently limited to members of the US-based beta program.

iCloud encryption, available in France soon, will make a lot of data invulnerable.  // Source: Draw the number
iCloud encryption, available in France soon, will make a lot of data invulnerable. // Source: Draw the number

End-to-end encryption is a device that makes data inaccessible except to its owner. Even Apple can’t read them. This is a common protection today: WhatsApp, for example, provides an equivalent service to secure discussions and files that Internet users send to each other.

Apple’s announcement is primarily about setting a timeline. The rest of the Americas will be in service by the end of the year, while Europe will begin deployment in early 2023. We can hope for a good surprise in the coming weeks.

There remains one downside to these successive steps forward in favor of security: end-to-end encryption of emails, contacts, and calendars in iCloud. There are objective reasons why Apple can’t do this. In this regard, Cupertino, which was restarted by Numerama, could not say anything new.


Help build the future of Numerama by answering this survey!

Leave a Reply

Your email address will not be published. Required fields are marked *