Introduction
Apple supports YubiKeys to provide the strongest phishing-resistant protection for your iCloud account using the FIDO protocol. By registering YubiKeys to your iCloud account, you significantly increase your protection even if your iCloud account password is stolen.1 This article covers setting up and using your YubiKey with iCloud. To ensure you have a backup, you need a minimum of two YubiKeys/security keys to get started. Once you have set up security keys with your iCloud account, you will be required to use a security key to sign in from untrusted devices. Read Apple’s Security Key support article to learn more about the implementation.
YubiKeys can be registered from an iPhone/iPad or from a Mac, but it isn't supported from non-Apple devices. This article provides a step-by-step guide for both options.
Setup Instructions
Prerequisites
- A minimum of two YubiKeys
- If registering from an iPhone/iPad, then you need iOS/iPadOS 16.3 or above - see iPhone or iPad initiated setup instructions
- If registering from a Mac, then you will need MacOS Ventura 13.2 or above - see macOS initiated set up instructions
- Two-factor authentication enabled on your Apple ID
- A modern web browser such as Safari
iPhone or iPad initiated setup instructions
Ensure the iPhone is running iOS version 16.3 or above. The iOS version can be found by tapping on the Settings app on the Home Screen (or in the App Library) and browsing to General -> About.
- Open the Settings app
- Tap your name
- Tap on Sign-In & Security
- Select Two-Factor Authentication
- Under Security Keys, tap Set Up
- Tap Add Security Keys
- Tap Continue
Note: If your Apple iCloud account is signed in from devices that don't support passkeys, you'll see a list of devices here. You will need to agree to sign out of all devices in this list before you can add passkeys to your account.
- At the prompt, enter your device/iPhone passcode to continue (alternatively, if FaceID is set up, FaceID will confirm your face instead)
- You may be prompted to sign out of inactive devices. If you receive this prompt, tap Sign Out of Device.
- At the prompt, plug in or tap your security key to the iPhone. If a PIN is set on the FIDO application of your YubiKey, you will receive a PIN prompt as well - enter the correct PIN and then tap the key again.
- Name your security key. Choose a name that will help you identify the specific YubiKey you are adding. The name will be saved to your iCloud account. For example, if you have a YubiKey 5Ci with serial number 27546987, consider naming your key something like 5Ci 275469987.
- You will be prompted to set up your second security key. Follow the same instructions as above.
- You will now be prompted to review your active devices - this list contains any devices where your iCloud account is currently signed in. You can select a device you want to remove and tap Sign Out of Device, but if you are happy with the list of authenticated devices, tap Stay Signed In To All. If you would like to sign out of multiple devices, it is recommended that you only remove one at a time (this list can also be edited later from the Sign-In & Security page of your iOS Settings).
- Once the second security key is set up, your setup process is complete. Tap Done and you will be returned to the Sign-in & Security page within iOS Settings.
Managing security keys on the iPhone
- Open the Settings app
- Tap your name
- Tap Sign-In & Security
In this section, you can add additional security keys and manage the keys that have already been set up. Select an existing security key to edit the name or remove it. In order to remove a security key from this list, you'll need to have at least two keys registered at all times. Removing all keys will revert your two-factor authentication settings to using 6-digit verification codes for two-factor authentication.
macOS initiated set up instructions
- Open > System Settings > [your name] > Sign-In & Security
- Click Two-Factor Authentication
- Click Security Keys
- Click Add Security Keys
- Click Continue. You may be prompted to enter the password for your local Mac user account (not the iCloud account) and/or a passcode from a trusted iOS device. If so, complete the prompts before continuing to the next step.
- Click Continue
- Insert the first YubiKey / security key and tap the capacitive touch sensor when it begins to steadily flash. If you have a PIN set on the FIDO application of your YubiKey, you will be prompted to enter the PIN, and then tap the capacitive touch sensor on your YubiKey again to complete the registration.
- Name your security key something memorable, and then click Continue
- Remove the first YubiKey and then insert the second YubiKey
- Click Continue
- Tap the capacitive touch sensor on the YubiKey when it begins to steadily flash. If you have a PIN set on the FIDO application of your YubiKey, you will be prompted to enter the PIN, and then tap the capacitive touch sensor on your YubiKey again to complete the registration.
- Name your security key something memorable, and then click Continue
- You will now be prompted to review all of your active devices (this lists all devices where your iCloud account is currently signed in - you can remove one or more devices or continue without forcing signout on any devices by clicking Stay Signed In to All)
- Click Done
- You can now click Done again and close out of your iCloud settings, or you can click on Security Keys again if you have more YubiKeys you want to add to your iCloud account
Login instructions
While you won’t need to use your YubiKey to check your iCloud settings on an iPhone or macOS device that’s already configured with iCloud, you will be prompted to use one of them when logging onto iCloud from a browser that Apple does not recognize, or when setting up a new Apple device.
The next time you are prompted to log in to your iCloud account, after entering your Apple ID and password, you will be prompted to use one of the YubiKeys that has been registered to your iCloud account.
Follow the on-screen instructions to complete your login. Your YubiKey’s PIN may be required if you have configured it to have one.
1 Be aware that Apple currently allows access to Find My using only a password in the app or on the web. This is likely because people commonly use the service to locate a phone they just lost, and may not have the ability to provide the second factor in that situation. Considering this, always use a strong iCloud password and protect it well, and configure Find My settings you are comfortable being accessed using only your iCloud password.