Protecting Apple iCloud with YubiKeys


Introduction

Apple now supports YubiKeys to provide the strongest phishing resistant protection for your iCloud account using the FIDO protocol. By registering YubiKeys to your iCloud account, you significantly increase your protection even if your iCloud account password is stolen.1 This article will cover setting up and using your YubiKey with iCloud. To ensure you have a backup, you need a minimum of two YubiKeys/security keys to get started. Once you have set up security keys with your iCloud account, you will be required to use a security key to log in from untrusted devices. Read Apple’s Security Key support article to learn more about the implementation.


The YubiKeys can be registered from an iPhone/iPad or from a Mac. This article will provide a step-by-step guide for both options.

Setup Instructions

Prerequisites

iPhone or iPad initiated set up instructions

Ensure the iPhone is running iOS version 16.3 or above. The iOS version can be found by tapping on the Settings app on the Home Screen (or in the App Library) and going to General -> About.

  1. Open the Settings app.
  2. Tap your name
  3. Tap on Sign-In & Security
  4. Select Two-Factor Authentication
  5. Under Security Keys, tap Set Up
  6. Tap Add Security Keys
  7. Tap Continue
manual-icon.svg Note: If your Apple iCloud account is signed in from devices that
don't support passkeys, you'll see a list of devices here. You will
need to agree to sign out of all devices in this list before you
can add passkeys to your account.
  1. At the prompt, enter your device/iPhone passcode to continue
  2. At the prompt, plug in or tap your Security Key to the iPhone. If a PIN is set on the FIDO application of your YubiKey, you'll receive a PIN prompt as well - you will need to enter the correct PIN before continuing.
  3. Name your Security Key. Choose a name that will help you identify the specific YubiKey you are adding. The name will be saved to your iCloud account.
  4. Next you will be prompted to set up your second Security Key. Follow the same instructions as above.
  5. You will now be prompted to Review Your Active Devices - this list contains any devices where your iCloud account is currently signed in. You can select a device you want to remove and tap Sign Out of Device, but if you are happy with the list of authenticated devices, tap Stay Signed In To All. If you would like to sign out of multiple devices, it is recommended that you only remove one at a time (this list can also be edited later from the Sign-In & Security page of your iOS Settings).
  6. Once the second Security Key is set up, your setup process is complete. Tap Done and you will be returned to the Sign-in & Security page within iOS Settings.

 

 

 

Managing Security Keys on the iPhone

  1. Open the Settings app
  2. Tap your name
  3. Tap Sign-In & Security

In this section, you can add additional Security Keys and manage the keys that have already been set up. Select an existing Security Key to edit the name or remove it. In order to remove a Security Key from this list, you'll need to have at least two keys registered at all times.

 

macOS initiated set up instructions

  1. Open System Settings, select your Apple ID, and then click Sign-In & Security
  2. Click Two-Factor Authentication
  3. Click Security Keys
  4. Click Add Security Keys
  5. Click Continue. You may be prompted to enter the password for your local Mac user account and/or a passcode from a trusted iOS device. If so, complete the prompots before continuing to the next step.
  6. Click Continue
  7. Insert the first YubiKey / Security Key and tap the capacitive touch sensor when it begins to steadily flash. If you have a PIN set on the FIDO application of your YubiKey, you will be prompted to enter the PIN, and then tap the capacitive touch sensor on your YubiKey again to complete the registration.
  8. Name your Security Key something memorable, and then click Continue
  9. Remove the first YubiKey and then insert the second YubiKey
  10. Click Continue
  11. Tap the capacitive touch sensor on the YubiKey when it begins to steadily flash. If you have a PIN set on the FIDO application of your YubiKey, you will be prompted to enter the PIN, and then tap the capacitive touch sensor on your YubiKey again to complete the registration.
  12. Name your Security Key something memorable, and then click Continue
  13. You will now be prompted to review all of your active devices (this lists all devices where your iCloud account is currently signed in - you can remove one or more devices or continue without forcing signout on any devices by clicking Stay Signed In to All)
  14. Click Done
  15. You can now click Done gain and close out of your iCloud settings, or you can click on Security Keys again if you have more YubiKeys you wish to add to your iCloud account.

 

Login instructions

While you won’t need to use your YubiKey to check your iCloud settings on an iPhone or macOS device that’s already configured with iCloud, you may be prompted to use one of them when logging onto iCloud from a browser that Apple does not recognize, or when setting up a new Apple device.

 

The next time you are prompted to log in to your iCloud account, after entering your Apple ID and password, you will be prompted to use one of the YubiKeys that has been registered to your iCloud account.

 

Follow the on-screen instructions to complete your login. Your YubiKey’s PIN may be required if you have configured it to have one.

 


 

1 Be aware that Apple currently allows access to Find My using only a password in the app or on the web. This is likely because people commonly use the service to locate a phone they just lost, and may not have the ability to provide the second factor in that situation. Considering this, always use a strong iCloud password and protect it well, and configure Find My settings you are comfortable being accessed using only your iCloud password.