In addition to significantly scaling up iCloud end-to-end data encryption, Apple made two other important security announcements today. The company says it will add support for the use of security keys to further enhance the security of your Apple ID and iCloud account. In particular, iMessage has a new feature that the company calls iMessage contact key verification.
< h2 id="h-security -keys">Security Keys
First of all, Apple announced that starting in 2023, users will be able to increase the security of their Apple ID and iCloud account with hardware security keys. This means you'll have a physical hardware device that you can set up to use as the second level of two-factor authentication for your account.
Apple tells 9to5Mac that this security key system integrates with its device—to – the process of transferring the device. This way, once you authenticate your iPhone with the security key, you won't have to do it again if you get a new iPhone, as long as you use the device-to-device transfer process when you set up your new iPhone.
In addition, the company says that trusted devices that are already signed into your Apple ID will not be logged out when authenticated using the security key feature. Instead, adding a security key is meant to prevent sophisticated attacks where a person might try to sign into your Apple ID on an unknown, untrusted device. “This further enhances our two-factor authentication, preventing even an advanced attacker from getting the user's second factor in a phishing scam” Apple says.
Apple will not manufacture the hardware security key itself. Instead, it will use third-party offers. The company is working with the FIDO Alliance to ensure cross-platform compatibility with open standards.
iMessage Contact Key Verification
Second, Apple is announcing a new security system for iMessage. Called “iMessage Contact Key Verification”, this feature allows iMessage users to “additionally verify that they're only messaging with the right people.”
This feature works by alerting users with security enabled. “if an exceptionally advanced adversary, such as a government-sponsored attacker, ever succeeds in hacking into cloud servers and inserting their own device to listen to these encrypted messages”
Both users communicating via iMessage must have the contact key verification feature enabled. For another added layer of security, iMessage Contact Key Verification users can compare the contact verification code in person, in FaceTime, or during another secure call. This verification code is available through the Messages app.
You can see what this notification looks like in the top image of this article. When an unidentified device is added to another person's account, you'll see an inline alert in your message thread that “an unidentified device may have been added.” for this person.
One thing that Apple has repeatedly stressed is that these features are really meant for users who experience “ “consensual threats to their online accounts.” This includes people such as celebrities, journalists and members of the government. In particular, Apple states that “the vast majority of users will never be the victims of sophisticated cyberattacks.”
However, with this in mind, Apple recognizes that these features are necessary for users who can be specifically sought. Apple told 9to5Mac that it is not aware of the iCloud servers being hacked, but is constantly battling attacks.
For most people, two-factor authentication is enough protection for an Apple ID. and iCloud accounts. Apple says 95% of active iCloud accounts use two-factor authentication, making it “the most widely used two-factor account security system in the world.”
Apple ID Security Keys to launch globally in early 2023 year, and checking the iMessage contact key sometime in 2023.