Protecting Apple iCloud with YubiKeys


Introduction

Apple now supports YubiKeys to provide the strongest phishing resistant protection for your iCloud account using the FIDO protocol. By registering YubiKeys to your iCloud account, you significantly increase your protection even if your iCloud account password is stolen.1 This article will cover setting up and using your YubiKey with iCloud. To ensure you have a backup, You need a minimum of two YubiKeys/security keys to get started. Once you have set up security keys with your iCloud account, you will be required to use a security key to log in from untrusted devices. Read Apple’s Security Key support article to learn more about the implementation.

 

Setup Instructions

Prerequisites

The YubiKeys can be registered from an iPhone/iPad or from a Mac. This article will provide a step-by-step guide for both options.

 

iPhone or iPad initiated set up instructions

  1. Ensure the iPhone is running iOS version 16.3 or above. The iOS version can be found by tapping on the Settings app on the Home Screen (or in the App Library) and going to General -> About
    1. To update to 16.3, select the Settings icon, go to General -> software update
  2. Now that you have verified the needed iOS version, open the Settings app

askarticle-01.png

 

  1. Tap your name

askarticle-02.png

 

  1. Tap on Password & Security

askarticle-03.png

 

  1. Select Add Security Keys

askarticle-04.png

 

  1. Select Add Security Keys

askarticle-05.png

 

  1. Select Continue

askarticle-06.png

 

  1. At the prompt, enter your device/iPhone passcode to continue

askarticle-07.png

 

  1. At the prompt, plug in or tap your Security Key to the iPhone.

askarticle-08.png

 

  1. If you have a PIN set on the Security Key, you will be prompted to enter in your PIN

askarticle-09.png

 

  1. Name your Security Key. Choose a name that will help you identify the specific YubiKey you are adding. The name will be saved to your iCloud account.
  2. Next you will be prompted to set up your second Security Key. Follow the same instructions as above.

askarticle-10.png

 

  1. Once the second Security Key is set up, your setup process is complete. Select Done and you will be taken back to the Password & Security section where there will be two security keys displayed as being registered.

askarticle-11.png

 

 

Managing Security Keys on the iPhone

  1. Open the Settings app

askarticle-12.png

 

  1. Tap your name

askarticle-13.png

 

  1. Tap on Password & Security

askarticle-14.png

 

In this section, you can add additional Security Keys and manage the keys that have already been set up. Select an existing Security Key to edit the name or remove it. The following section will appear once you select a Security Key.

 

askarticle-15.png

 

On this screen you can change the name you assigned to a particular YubiKey, or remove it (as long as two Security Keys remain registered).

 

 

macOS initiated set up instructions

  1. Open System Settings and select your Apple ID, then click Password & Security

askarticle-16.png

 

  1. Click Add on Security Keys

askarticle-17.png

 

  1. On the next screen, click on Add Security Keys or press Return Key

askarticle-18.png

 

  1. At the prompt, enter your Mac User ID password. Then click Allow button or press Return Key. This is your local computer password, not your iCloud account password.

askarticle-19.png

 

  1. Make sure you have both Security Keys at hand and click Continue or press Return Key

askarticle-20.png

 

  1. Click Continue or press Return Key

askarticle-21.png

 

  1. Insert your first Security Key

askarticle-22.png

 

  1. Tap the Security Key when it blinks. If there is a FIDO PIN previously set, enter the PIN when prompted and tap the Security Key again
  2. Choose a name that will help you to identify the specific YubiKey you are adding. The name will be saved to your iCloud account. Continue button or press Return Key

askarticle-23.png

 

  1. Click Continue or press Return Key to register the second Security Key

askarticle-24.png

 

  1. Tap the Security Key when it blinks. If there is a FIDO PIN previously set, enter the PIN when prompted and click Continue button or press Return key, then tap the Security Key again

askarticle-25.png


askarticle-26.png

 

  1. Choose a name that will help you to identify the specific YubiKey you are adding. The name will be saved to your iCloud account. Continue button or press Return Key

askarticle-27.png

 

  1. In the following screen you can decide to logout other devices or stay signed in

askarticle-28.png

 

  1. You have successfully protected your iCloud account authentication with Security Keys

askarticle-29.png

 

Login instructions

While you won’t need to use your YubiKey to check your iCloud settings on an iPhone or macOS device that’s already configured with iCloud, you may be prompted to use one of them when logging onto iCloud from a browser that Apple does not recognize, or when setting up a new Apple device.

 

The next time you are prompted to log in to your iCloud account, after entering your Apple ID and password, you will be prompted to use one of the YubiKeys that has been registered to your iCloud account.

 

Follow the on-screen instructions to complete your login. Your YubiKey’s PIN may be required if you have configured it to have one.

 


 

1 Be aware that Apple currently allows access to Find My using only a password in the app or on the web. This is likely because people commonly use the service to locate a phone they just lost, and may not have the ability to provide the second factor in that situation. Considering this, always use a strong iCloud password and protect it well, and configure Find My settings you are comfortable being accessed using only your iCloud password.