With the inclusion of support for hardware security keys to safeguard your Apple ID across its current operating systems in January 2023, Apple has increased the number of secrets it can produce, maintain, or manage for you to four.
This can be perplexing. A colleague found that Apple supports verification codes directly in Safari until lately when their operating system suggested they utilize Apple’s method while improving account security on a website.
As of March 2023, Apple may assist you with the following secrets:
- Apple’s built-in system for managing passwords; available via Settings > Passwords in iOS/iPadOS, System Preferences > Passwords (Monterey), System Settings > Passwords (Ventura), or Safari > Preferences > Passwords (several versions). Apple enables the generation, storage, and retrieval of passwords in Safari and WebKit-based applications. With the Passwords interface, you can also manually make password entries, add notes, and copy saved passwords and account IDs.
- The second-factor codes are: This type of second-factor authentication (2FA) token is referred to as a verification code by Apple. In technical terms, they are a time-sensitive one-time password (TOTP). When registering for two-factor authentication on a website, you are frequently given the choice of an authentication or verification code. (See this column for information on how to utilize this method.) Apple included support for this feature in iOS 15, iPadOS 15, and Safari 15 for macOS (Monterey and later).
- Passkeys: A modern industry-wide solution to security, known as a passkey, relies on more complex underpinnings than a password and second-factor code, but it is more secure and trustworthy. (I thoroughly discussed it in my column.) Instead of entering a password, you validate a passkey using Touch ID, Face ID, a device passcode, or your macOS account password. Apple included passkey capability to iOS 16, iPadOS 16, and macOS 13 Ventura, while a preview form existed in the preceding version of each operating system. A website registration is required to utilize passkeys, similar to two-factor authentication. For each login, a unique set of encryption information is generated, avoiding hijacking and impersonation. Few websites now accept them, but with Google and Microsoft on board, that number should increase significantly by 2023.
- Hardware authentication keys for website logins: Some years ago, an industry consortium (the same one responsible for passkeys) established a standard for hardware security keys, such as those manufactured by Yubico, that can connect to a mobile, desktop, or laptop device through USB, Lightning, or NFC. The hardware key controls the authentication procedure. This WebAuthn-based hardware method effectively developed into passkeys, but both have their purposes. Apple gives the option of utilizing a passkey even though certain websites require the use of a physical key. What is the difference? Passwords are synchronized across your devices, whereas hardware security keys are tangible objects.
- Hardware security keys for Apple ID: As of January 2023, Apple strengthened Apple ID logins by allowing the use of hardware security keys; however, you must be running the most recent versions of Apple’s operating systems (iOS, iPadOS, macOS, tvOS, watchOS, and HomePod’s OS) to prevent being locked out. Apple needs users to register two security keys for further protection in the event that one is lost or compromised.
Considered another way:
- A password is something you can recall or have automatically entered via a password manager, such as Apple’s built-in support.
- A second-factor authentication token or passkey necessitates utilizing one of your devices to log in directly or to authorize a login on another piece of gear you’re using.
- A hardware security key demands that you have the key in your possession and put it into the device you’re logging in from, such as an iPhone
Ask Mac 911
We have collected a list of the most often asked questions, with answers and links to columns: Consult our extensive Frequently Asked Questions to check whether your query is addressed. If not, we are always seeking new challenges to address! Send yours to [email protected], along with relevant screenshots and your complete name, if you wish for it to be used. We cannot give direct troubleshooting guidance, cannot respond to emails, and cannot answer every inquiry.