iOS 16.3, available the week of January 23, will add support for physical security keys to iPhones and iPads. This new authentication method aims to secure user accounts.
The beginning of the year rhymes with security at Apple. Wednesday, January 18, the Cupertino company made three announcements on this ground, to reassure once again about its desire to keep its promises in terms of confidentiality. Statements that are part of a series of other communications, with the development of an “extreme protection” mode or increased shielding of iCloud. (At the same time, Apple also announced new products, such as the MacBook Pro, Mac mini and HomePod 2.)
Apple opens up to physical security keys for Apple ID
iOS 16.3, which will be available the week of January 23 (probably the same Monday, early evening), will bring something new to iPhones and iPads. Thanks to this update, it will be possible to use “security keys” (an approach that has already existed for years) to log into your Apple ID account. This key turns out to be a physical object that is to improve the resistance of two-factor authentication — also called double authentication. The idea is to avoid the SMS code and replace it with a physical element, impossible to obtain remotely.
At Apple, two-factor authentication has been in place since 2015 and is used by 95% of active iCloud accounts. However, until now, two-factor authentication did not allow the use of a hardware asset. Apple sees this as a way to make attacks against accounts more difficult to succeed (like phishing), since it would require physical access to this material. In fact, the attack surface is even more reduced.
Here, Apple intends to take advantage of the existing ecosystem by authorizing the use of third-party hardware security keys (and why not Google’s Titan security key?). In Numerama, an Apple representative indicated that these keys can be diverse in their operation. For example, it is possible to use keys using biometric verification (in this case, pressing on it to read the fingerprint).
One question remains: who is this type of device for? Everyone can have access to it suggests Apple. However, it was designed with more exposed profiles in mind, such as journalists, members of government or celebrities. These profiles may be more targeted, including by determined attackers with a high capacity for action.
iMessage also gets a security update
Another announcement of the day: the “verification of ignition keys for iMessage”. This feature consists of verifying the reliability of the connection with another person using iMessage, by comparing the verification codes of the contacts – for example on FaceTime or through another secure call service.
This kind of functionality exists on other messaging services: WhatsApp also has a security code confirmation tool, as does Signal. For these two platforms as for iMessage, the verification can be done when you are in the same place as your contact, to check the correspondence of the code. But here too, Apple is mainly targeting the most at-risk profiles.
iCloud end-to-end encryption
Finally, Apple returned to an announcement that had made a lot of noise: end-to-end encryption of almost all items stored on iCloud, Apple’s synchronization and hosting service. This change was introduced in early December, but is currently restricted to members of a beta program residing in the United States.
End-to-end encryption is a device that makes the data that benefits from it inaccessible, except for its owner. Even Apple can’t read them. This is a protection that is commonly found today: WhatsApp, for example, provides an equivalent service to secure the discussions and files that Internet users send each other.
Apple’s announcement is primarily to set the timeline. The rest of America will be served by the end of the year, while Europe will begin its deployment at the beginning of 2023. We can hope for a good surprise in the coming weeks.
There remains a downside in this succession of steps forward for the benefit of security: that of end-to-end encryption of emails, contacts and calendars in iCloud. Apple has objective reasons for not being able to do so. Relaunched by Numerama on this subject, Cupertino could not say anything new.
Build the future of Numerama with us by answering these questions!