With the addition in January 2023 of support on its current operating systems for hardware security keys to protect your Apple ID, Apple has expanded the number of types of secrets it can generate to four, supporting or manage for you.
This can be confusing. A colleague only recently discovered that Apple supports verification codes directly in Safari when prompted by his operating system to use Apple’s system when upgrading the security of the account on a website.
As of March 2023, here are the secrets Apple can work with for you:
- Passwords : Apple’s built-in password management system, it can be accessed via Settings > Passwords under iOS/iPadOS, and via System Preferences > Passwords (Monterrey), System Parameters > Passwords (Ventura), or Safari > Preferences > Passwords (several versions). Apple lets you generate, store, and retrieve passwords in Safari and in apps that use WebKit View. You can also use the Passwords interface to manually create password entries, add notes, and copy stored passwords and account IDs.
- Second factor codes: Apple calls this type of second-factor authentication (2FA) token a verification code. More technically, it is a time-based one-time password (TOTP). When you sign up for 2FA on a website, you are often offered the option of an authentication or verification code. (See this column for details on using this approach.) Apple added this option in iOS 15, iPadOS 15, and Safari 15 for macOS (Monterey and later).
- Access keys: A new industry-wide approach to security, called passkey, has more complex foundations than a password and second-factor code, but it’s more secure and reliable. (I’ve explained it in detail in this column.) You don’t enter a password but confirm a password with Touch ID, Face ID, or a device passcode or password from macOS account. Apple added passkey support to iOS 16, iPadOS 16, and macOS 13 Ventura, though a functional preview form appeared in the previous version of each. You register on a website to use access keys, much like two-factor authentication. A unique set of encryption information is created for each connection, preventing hacking and identity theft. Few sites support them yet, but with Google and Microsoft also on board, this is expected to increase significantly in 2023.
- Hardware security keys for web connections: A few years ago, an industry consortium (the one that is also behind security keys) created a standard for hardware security keys, like those made by Yubico, that can connect to a mobile device, from desktop or laptop via USB, Lightning or NFC. The hardware key manages the login process. This hardware approach, called WebAuthn, has essentially evolved into security keys, although both forms have their uses. When some websites prompt you to enter a hardware key, Apple even offers the option of using a password. The big difference? Passkeys are synced between your devices; a hardware security key is a physical item.
- Hardware security keys for Apple ID: Apple has improved Apple ID logins by allowing you to use hardware security keys from January 2023, although this requires being up to date with all the latest versions of its operating systems (iOS, iPadOS, macOS , tvOS, watchOS and the HomePod operating system) to avoid you being locked out. Apple requires you to save two security keys for added security in case one is lost or damaged.
Seen another way:
- A password is something you can remember or have filled in for you by a password manager, like Apple’s built-in support.
- A two-factor authentication code Or master key requires having one of your devices on hand and using it to connect directly or approve a connection on other hardware you use.
- A hardware security key requires you to have the key in hand and insert it into a device you are logging in from, such as setting up a new iPhone.
This Mac 911 article is in response to a question submitted by igamesnews reader Brett.
Ask for Mac 911
We’ve compiled a list of our most frequently asked questions, along with answers and column links: read our awesome FAQ to see if your question is covered. Otherwise, we are always looking for new problems to solve! Email yours to [email protected], including screenshots if available and if you want your full name used. Not all questions will be answered, we don’t respond to emails, and we can’t provide direct troubleshooting advice.
