Easy Yubikey How-To: Two Factor Authentication for iOS!

I love Yubikeys…when it comes to securing my accounts, I use them absolutely everywhere. You can check out my video titled ‘You Should Be Using Yubikeys‘ to learn more about these impressive little security devices.

The keys I like best are the Yubikey 5-series. There’s the Yubikey 5 NFC which features USB-A or USB-C on one end as well as NFC capability. There’s also the Yubikey 5Ci which has USB-C on one end, and a lightning connector on the other – great for use with Apple products.

A few weeks ago, Yubico announced native FIDO U2F security key support for use with iOS 16.3, iPadOS 16.3, and macOS Ventura 13.2. This means that you can use two-factor authentication (2FA) to secure your Apple ID across these devices.

Types of 2FA

Let’s step back a moment and talk about various types of 2FA. At this point, most of us are aware of SMS 2FA where you log in, and a website sends a code to your cell phone that you need to enter in order to complete the login process. This is one of the least secure ways of implementing 2FA because phones can be lost, or SIP swapped – this type of 2FA is also a huge target for scammers and phishing attempts.

A better method of 2FA is TOTP, or Time-based One Time Passcodes. This is the type of 2FA where you have a separate app such as Google Authenticator, Authy, or any one of a number of 2FA applications that generate a 6-digit code based on an algorithm and you have to enter in that code to complete the login process when you’ve enabled TOTP on a website or login.

Both of the 5-series Yubikeys that I mentioned above can do TOTP in conjunction with the Yubico Authenticator app for your PC or smart phone. Using a Yubikey with TOTP is a bit more secure than using Google Authenticator or similar since you have to have both the application and the hardware key to generate the code vs. someone who gains access to your phone with Google Authenticator…they can generate codes at will.

Finally, the next step up in 2FA authentication mechanisms is FIDO U2F (Fast Identity Online Universal Second Factor). FIDO U2F is an open authentication standard that allows users to access services with a physical security key. It works without any additional software or device drivers, and you also don’t have to type in any code to use it (can’t be phished). The encryption it uses (HMAC-SHA-256) is also more secure than TOTP’s encryption (SHA-1).

FIDO U2F is more secure by virtue of physically requiring the hardware key to log in. There’s no code that can be phished – you absolutely have to have the hardware key in your possession to authenticate.

The Yubikey 5-series keys will do both TOTP and FIDO U2F, which is why I prefer these…they’re amazing for general 2FA usage. You should be using FIDO U2F for any websites that allow it, and if a website only has TOTP capability, you’re still covered.

Requirements

OK – so now after that slight detour, hopefully you have a better understanding of why FIDO U2F is the preferred method of 2FA. This announcement from Apple means that as of the versions I listed above, your Apple ID can now be secured with FIDO U2F compatible devices such as the Yubikey 5-series security keys. Setup is super simple – here’s what you need to get started:

• At least (2) FIDO Certified security keys such as the Yubikey 5 NFC or Yubikey 5Ci. You need at least 2 for redundancy, but I personally use 3 of these keys (2 of the 5 NFC’s, and 1 of the 5Ci’s).
• iOS 16.3, iPadOS 16.3, or macOS Ventura 13.2, or later on all of the devices where you’re signed in with your Apple ID.
• Two-factor authentication set up for your Apple ID.

The full list of requirements and setup instructions can be found HERE.

I’m going to be demonstrating how to configure FIDO U2F on an iPhone, however this can be done on an iPhone, iPad, or Mac.

Setting up FIDO U2F for Apple

First thing is to check your version – on iPhone you can go to Settings –> General –> About. If you’re not on v16.3, you’ll need to upgrade first before moving on.

Once you’re on v16.3, go to Settings –> Click on your name/thumbnail pic at the very top of the Settings page. Then choose Password & Security.

In Password & Security, we’ll assume that 2FA is on already (right??), but if not you’ll have to enable it first. Once enabled, click on ‘Add Security Keys’

It will show you some info about FIDO Certified security keys – click ‘Add Security Keys’ again.

Next, you’ll get a disclaimer about needing (2) security keys – click ‘Continue. You’ll be prompted for your iPhone passcode.

Now it wants you to add the first security key. If your security key has NFC, hold it to the back of the iPhone near the top. If you have a lightning connector, plug it in and press the contact on the side of the Yubikey.

Once your Yubikey is detected, you’ll have to enter in your Yubikey PIN code and do the NFC/press the contact again. Then you’ll be asked to name the security key.

Once that first security key has been added, you’ll then repeat the process for the second key. After the second key has been added, you’re dumped back into the Password & Security screen.

If you’re like me, and you have 3 Yubikeys, you’ll now want to click on Security Keys –> Add Security Key and then repeat that same process yet again for the 3rd key.

Once you’ve added all of your security keys, you’re all set and your Apple ID now has the most secure protection available! Congrats!

Thank You!

Thanks so much for using this Yubikey tutorial – I will update it with any
corrections or updates to the installation instructions.

If you would like to support Crosstalk Solutions, you can BUY ME A BEER HERE! Or
check out some of the cool stuff we have in our Crosstalk merch store!