With the addition in January 2023 of support across its current operating systems for hardware security keys to protect your Apple ID, Apple has extended to four the number of kinds of secrets it can generate, support, or manage for you.
This can be confusing. One colleague only recently discovered that Apple supports verification codes directly in Safari when they were prompted by their operating system to use Apple’s system when upgrading account security at a website.
As of March 2023, here are the secrets Apple can work with for you:
- Passwords: Apple’s built-in password management system, it’s accessible via Settings > Passwords in iOS/iPadOS, and via System Preferences > Passwords (Monterey), System Settings > Passwords (Ventura), or Safari > Preferences > Passwords (several versions). Apple lets you generate, store, and retrieve passwords in Safari and in apps that use the WebKit view. You can also use the Passwords interface to create password entries manually, add notes, and copy stored passwords and account IDs.
- Second-factor codes: Apple calls this kind of second-factor authentication (2FA) token a verification code. More technically, they’re a time-based one-time password (TOTP). When you enroll in 2FA at a website, you are often offered the option of an authentication or verification code. (See this column for details on using this approach.) Apple added this option in iOS 15, iPadOS 15, and Safari 15 for macOS (Monterey and later).
- Passkeys: A newer industry-wide approach to security, called a passkey, relies on more complicated underpinnings than a password and second-factor code, but it’s more secure and reliable. (I explained it in full in this column.) You don’t enter a password but confirm a passkey with Touch ID, Face ID, or a device passcode or macOS account password. Apple added passkey support to iOS 16, iPadOS 16, and macOS 13 Ventura, although a working preview form appeared in the previous release of each. You enroll at a website to use passkeys, much like two-factor authentication. A unique set of encryption information is created for each login, preventing hijacking and impersonation. Few sites support them yet, but with Google and Microsoft also on board, that should rise substantially in 2023.
- Hardware security keys for web logins: Dating back a few years, an industry consortium (the one also behind passkeys) created a standard for hardware security keys–like those made by Yubico–that can connect to a mobile, desktop, or laptop device via USB, Lightning, or NFC. The hardware key manages the login process. This hardware approach, called WebAuthn, essentially evolved into passkeys, though both forms have their uses. When some websites prompt you to enter a hardware key, Apple provides the option of using a passkey, even. The big difference? Passkeys are synced among your devices; a hardware security key is a physical item.
- Hardware security keys for Apple ID: Apple enhanced Apple ID logins by letting you use hardware security keys as of January 2023, although this requires being up to date with all the latest versions of its operating systems (iOS, iPadOS, macOS, tvOS, watchOS, and HomePod’s OS) to avoid you being locked out. Apple requires that you register two security keys for extra safety in case one is lost or damaged.
Looked at in another way:
- A password is something you can remember or have filled in for you by a password manager, like Apple’s built-in support.
- A second-factor authentication code or passkey requires having one of your devices on hand and using it to log in directly or approve a login on another piece of hardware you’re using.
- A hardware security key requires that you have the key in hand and must insert it into a device that you’re using to log in from, such as setting up a new iPhone.
This Mac 911 article is in response to a question submitted by Macworld reader Brett.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to [email protected], including screen captures as appropriate and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.