Getty Images
Apple to tap third party for physical security keys
Apple is launching a number of new security protections, including the addition of third-party-provided hardware security keys
Apple is to introduce three security features focused on protecting user data in the cloud as the next step in an ongoing programme of cyber improvements, among them the addition of the tried-and-tested physical security key, which it will source from an unspecified third-party supplier.
The three new features, which are to become available globally over the course of 2023, comprise Security Keys for Apple ID, giving users the choice of having a physical form of multifactor authentication (MFA); Contact Key Verification for iMessage, to allow users to verify they are communicating with the intended party; and Advanced Data Protection for iCloud, offering end-to-end encryption across users’ iCloud data, such as Backup, Photos and Notes.
“At Apple, we are unwavering in our commitment to provide our users with the best data security in the world. We constantly identify and mitigate emerging threats to their personal data on devices and in the cloud,” said Craig Federighi, Apple’s senior vice-president of software engineering.
“Our security teams work tirelessly to keep users’ data safe, and with iMessage Contact Key Verification, Security Keys and Advanced Data Protection for iCloud, users will have three powerful new tools to further protect their most sensitive data and communications.”
Having introduced MFA for Apple ID nearly eight years ago, over 95% of active iCloud accounts are already using such protection. However, Apple said physical Security Keys would give users more choice in terms of how they go about securing their personal data.
For those who choose to opt in, Security Keys will strengthen existing MFA by requiring a hardware security key as one of the two factors, which will eliminate the possibility of an attacker obtaining a user’s second factor – such as a one-time passcode – via targeted phishing.
Cupertino did not say from whom it would be sourcing these hardware keys – however according to 9to5Mac, it is working with the FIDO Alliance to ensure cross-platform compatibility with open standards.
The service is designed for users who are more likely to face targeted threats to their online accounts, such as government officials, journalists, or others in the public eye, but there is no indication that it will not be universally available.
ESET cyber security advisor Jake Moore commented: “Hardware security keys offer protection and peace of mind knowing that it is one of the most secure ways of entering an account and is often offered as an entry method to highly sensitive accounts. Attackers still largely target Apple users with phishing scams or via physical device thefts, but the use of security keys will potentially go one step further towards mitigating this common risk and it will inevitably protect Apple accounts even more.
“To gain the full security benefits of this new feature, it is best to remove all other forms of account verification and solely rely on physical security keys to gain access, which will stop hackers from bypassing this form of chosen authentication. It is also a good reminder to remain vigilant to potential phishing and vishing emails and calls from those trying to gain access to your Apple accounts,” he said.
Contact Key Verification for iMessage is likewise designed with highly attacked users in mind, offering additional protections to existing end-to-end encryption features. Users will be able to choose to further verify that they are messaging the right person, while conversations between users who enable the feature will receive alerts should an advanced adversary succeed in accessing Apple’s infrastructure to eavesdrop. Users will also be able to compare a so-called Contact Verification Code, either in person, on FaceTime, or via another call.
Meanwhile, Advanced Data Protection for iCloud will add to existing security features, introducing end-to-end encryption across more forms of data – it already protects 14 sensitive categories in this way, and this now rises to 23 for users who opt in. This means stored data can only be viewed on trusted devices. Apple claims the feature will keep “most” iCloud data protected even if the service is breached.
The three new features join a raft of other protections Apple already has in place, from on-board device encryption and data protection, to features such as Lockdown Mode, introduced earlier in 2022 to protect iPhone and iPad users from “mercenary” spyware such as that produced by disgraced Israeli malware developer NSO Group, which targeted Apple devices using an exploit known as ForcedEntry.