An Apple ID is a critical piece of information for anyone with an Apple device, be it a laptop, desktop, phone, or tablet. It grants access to the App Store, FaceTime, Find My, iCloud, and Messages. Given how much your Apple ID matters, it’s important to keep it safe from account takeovers, and one of the best ways to do that is with a hardware security key.
We’re here to show you how to use a security key to protect your Apple ID. But first, it’s important to understand what multi-factor authentication is and why using a security key is one of the best ways to keep your accounts safe.
What Is Multi-Factor Authentication?
The current thinking on authentication holds that there are three factors you can use to verify your identity:
- Something you know, like a password.
- Something you are, like a biometric attribute such as your fingerprint.
- Something you have, like a smart device or a hardware security key.
Typical username and password login schemes employ just one factor—something you know. The problem is that if a bad guy gets ahold of your username and password, they can log in as if they were you and take over your account. To prevent that, security experts now recommend mixing multiple factors. This used to be called two-factor authentication (2FA), but with new options emerging all the time, it has been dubbed multi-factor authentication (MFA). You might see both terms, but they effectively mean the same thing.
With MFA, even if someone has nabbed some or all of your login credentials—say, from a major data breach like the one that happened at LastPass—they won’t be able to access any account secured with MFA. Even if the logins are accepted, they’ll be prompted to enter the second-factor information and will be immediately stymied. This isn’t theoretical, either. When Google required all employees to use MFA, account takeovers dropped to nearly zero.
There are several different ways to implement MFA. The most common—and, unfortunately, least secure—is to receive a special code sent via SMS. We recommend readers avoid this method if possible because those messages can potentially be intercepted.
A better option is to use a code-generating authenticator app, such as Authy or Google Authenticator. Once you enroll the app with an account you want to secure, the app will spit out new codes every 30 seconds. Most of the time, this means that you enter your username and password, and then you’re prompted to enter the most recent code from the authenticator app.
Apple does in fact offer another form of multi-factor authentication: You can verify your identity using another Apple device where you’re already logged in. In this scenario, you enter your Apple ID credentials and then a notification appears on all your devices along with a one-time use code. This isn’t an SMS code, so it’s a fairly good MFA option.
What Are Security Keys?
The big downside to all of the MFA options above is that they require a functional device or a data or cellular connection or both. That isn’t always an option. Fortunately, there’s another option: hardware security keys.
Security keys are small physical devices that are robust enough to live on your keychain. Many don’t have batteries, nor do they require data connections of any kind. Some even include a biometric option. What’s great about them is that they’re easily kept on your person and hard to attack—although you do run the risk of losing or damaging them (more on that later).
When you use a security key as your MFA device, you just enter your username and password as usual and then present your key to your device when prompted. Security keys have a variety of connectors available, are compatible with adapters (such as USB-A to USB-C dongles), and many support wireless authentication for mobile devices with NFC.
Although we’re stuck with passwords for the time being, security keys are helping get rid of this cumbersome and ineffective method of protection. Many devices and services are starting to support passwordless authentication, and some passwordless options rely on the latest hardware security keys.
What Security Keys Should You Use With Apple ID?
When choosing a security key, you’ll want to consider price and compatibility. For price, you should expect to pay around $20 to $80 for most security keys. Higher-price keys usually have more advanced features, like additional authentication options or biometrics. Advanced features are cool, but don’t pay for features you won’t use.
Price is an especially important point when securing your Apple ID because Apple requires that you enroll two security keys, which means you’ll have to shell out for two. Fortunately, you can mix and match, perhaps purchasing a fancy key for daily use and a basic, cheaper key as a backup.
Compatibility is a trickier consideration. Most security keys come with one USB-C or USB-A connector. Consider the devices you have and what ports are available. If you’re finding USB-A increasingly rare among your devices, go with USB-C.
Most Apple mobile devices don’t support USB-C yet, but many support NFC. Apple users should be sure to select a security key that also supports NFC for easy authentication on iPhones and iPads. We prefer this wireless option to the YubiKey 5Ci—a security key with USB-C on one side and an Apple Lightning connector on the other—which is expensive compared with other keys and doesn’t support NFC.
For its part, Apple recommends the YubiKey 5C NFC, the YubiKey 5Ci, and the Feitan ePass K9 NFC USB-A in its documentation. While we agree that the YubiKey 5C NFC is a great option, the YubiKey Security Key C NFC might be a better option for first-time users as it costs half as much as the 5C. Note that Yubico has discontinued its blue version of this key and a new black-clad key is forthcoming(Opens in a new window).
One final wrinkle is that Apple’s online support documentation(Opens in a new window) says that you must use a key that has been certified by FIDO—the organization that manages the open standard on which security keys function. We haven’t tested to see if this is really enforced by Apple or if it’s simply a best practice.
How to Set Up Security Keys for Apple ID
There are a few things to do before you enroll security keys with your Apple ID. Most importantly, if you haven’t already enabled MFA for your Apple ID, you’ll have to wait a few weeks before you can add security keys. Presumably, this is to prevent someone from taking over your account and then locking you out by enrolling security keys. Not to worry: Having any form of MFA is better than none, and your account won’t be a sitting duck while you wait.
You’ll also, of course, need to have two hardware security keys. Remember that Apple requires you to enroll two keys, so have them both handy. If you’ve previously set a PIN for your security key, you’ll be prompted to enter that as well.
You should also update all your Apple devices before you begin. Apple supports security key enrollment only on iOS 16.3, iPadOS 16.3, or macOS Ventura 13.2 or later.
Finally, be sure to have your password (which is ideally randomly generated and stored in a password manager) handy, and some means to verify your identity. Apple frequently uses other devices you’ve already logged into for verification purposes, so have another Apple mobile device or computer handy. In our testing, we only had one Apple device available and were able to verify our identity using a phone number previously enrolled with Apple.
Before you start, there are a few caveats that Apple notes in its online documentation. If you have an Apple Watch paired to a device where you’re not logged in (say, your spouse’s iPad), you’ll want to pair your Apple Watch to a device where you are logged in. Apple also says that Managed Apple IDs and Apple IDs for children are not eligible for security keys. Finally, Apple warns that you will no longer be able to sign into iCloud for Windows.
Enrolling Security Keys With an iPad or iPhone
On iOS or iPadOS, open the Settings app and tap your name at the top of the menu. On the next screen, tap Password & Security, then tap Add Security Keys.
(Credit: Apple/Max Eddy)
You’ll then be prompted to plug in or tap your first security key. If you’re plugging it in, you’ll also be prompted to tap the key to confirm. If you’re enrolling the key with NFC, you should tap and hold the key to the top of the screen. It will ask you to do this twice. Sometimes, it will take the device a moment or two to read the key, so don’t move it around unless you’re told it failed to read. If you’ve previously set a PIN for your security key, you’ll have to enter it now.
(Credit: Apple/Max Eddy)
After you’ve enrolled the first key, you’ll be prompted to repeat the process with your second security key.
Finally, you’ll be presented with a list of devices already associated with your Apple ID. You’ll now have the option to remain logged in or remotely log out of those devices. If you see old devices you no longer use or even own, be sure to log them out.
Enrolling Security Keys With macOS
To enroll a key in macOS, click the Apple menu, then System Preferences, click your name in the upper-left corner of the pane, and then click Password & Security. After that, click Security Keys, then select Add. You should be guided through a setup process similar to enrolling keys on a mobile device.
Keep in mind that to enroll keys on an Apple desktop or laptop, you’ll be plugging them into the appropriate port when prompted—not relying on NFC.
Congratulations! You’re now protecting your Apple ID with security keys.
How to Log in to Your Apple ID With a Security Key
The next time you go to log in to an Apple device, you enter your Apple ID username and password as usual. Once those are accepted, you’ll then be prompted to plug in your security key or tap it if you’re using a mobile device. Again, if you plug your key in, you’ll be prompted to tap it and if you’re tapping your key against a mobile device you’ll want to aim for the top of the screen and wait a beat or two.
You’ll also need your security key when you try to log in to Apple’s online services through a browser. Again, you’ll enter your username and password, then plug in your laptop or desktop and tap it, or tap the key against your mobile device.
In our testing, we were able to log in to appleid.apple.com without issue using Chrome, Opera, or Safari. However, we received an error message when trying to use Firefox.
Unfortunately, you won’t be able to use a security key when you log in to certain Apple devices—specifically, Apple TVs and HomePods. For these devices, you’ll need to authenticate your identity using another Apple device.
What Should You Do If You Lose Your Security Key?
The advantage of a security key is that it’s a thing, and not an app or a service that delivers codes. The disadvantage is that a security key is a thing that you can lose or have stolen. Fortunately, Apple requires that you enroll a second security key with one serving as a backup to the first.
If you’ve lost both your security keys you might want to spend a little time reorganizing your life, right after you’ve regained control of your account. If you’ve enabled another authentication option—such as receiving codes from Apple sent to your device or via SMS—you should try to use those to access your account. Apple notes in its documentation that as long as you are logged in to at least one of your devices, you should be able to regain control of your account. Once you’re able to access account settings, you’ll want to unenroll your security keys. If you find them again, you can simply reenroll them.
It’s best to prepare for such eventualities by having numerous backup options at the ready. Apple provides two options for account recovery: Recovery Contact and Recovery Key. On iOS and iPadOS you find both by tapping Settings, then Apple ID (tap your name at the top of the menu), then Password & Security, and finally Account Recovery on an iPhone or iPad.
On macOS, you can find recovery contact options(Opens in a new window) in the Password & Security settings of System Preferences. The recovery key options(Opens in a new window) are in the Account Details area of macOS System Preferences.
A recovery contact is a person you nominate who can verify your request to regain access to an Apple ID. There are some limitations about who you can select for this role, however. An acceptable candidate must be more than 13 years old, have MFA activated for their Apple ID, have a fairly new OS running on their device, and use iMessage. In our testing, the person we nominated had a valid Apple ID but used Android mobile devices for messaging, so we weren’t able to nominate the individual.
Recovery keys have no such restrictions. Instead, you generate a 28-digit recovery key for your account. You can use this long jumble of text characters to unlock an account when all else has failed. Be sure to store your key in a secure place, perhaps writing it down somewhere safe. Other sites and services offer a feature similar to recovery keys (sometimes called backup codes or backup keys), and we encourage everyone to use them where available. Note that when you generate a recovery key with Apple, you’ll be prompted to enter the whole thing to confirm it, so be prepared. If you lose your recovery key, you can generate a new one from a device where you’re still logged in.
On a more somber note, Apple also lets you select a person who can take over your Apple ID should you die. This might seem tangential, but unless your family knows what MFA options you’ve employed and where to find your security keys they won’t be able to access your Apple ID. On iOS, you can find this option under Legacy Contact(Opens in a new window) in the Password & Security Settings menu, and the Password & Security settings in macOS System Preferences.
Should You Use Security Keys With Your Apple ID?
Security keys are perhaps the most secure MFA option, but that doesn’t mean they work for everyone. Security keys cost money, they can be lost, and you have to have them handy in order to log in. If all that sounds like more than you can cope with, you should use a different MFA option. Ultimately, what’s most important is that you take steps to secure all your accounts however you can.