Security key to log into my apple account?

Most here are other users like you (with the exception of sterling r), and we don't know why Apple makes certain decisions.

At present, Apple does not offer support for hardware security tokens within the Apple ID two-factor authentication implementation.

The closest Apple gets to hardware token authentication are cases where you can authenticate using an Apple Watch. Which isn't want you're looking for here. Apple usually uses iMessage for the second factor, though phone calls, and SMS messages can be used. That iMessage message often sent to iPad, iPhone, Watch, or some other "trusted device".

And yes, SMS is known to be weak.

If you'd like to see hardware token authentication added, log some feedback for Apple: Product Feedback - Apple

Hello HaroldMac,

It sounds as though you're wanting to use two-factor authentication with your Apple ID? If so, you can set up that feature using the steps outlined in the following article. When two-factor authentication is set up, you would be sent a new verification code each time you sign in to your Apple ID to a trusted number and/or trusted devices.

Two-factor authentication for Apple ID

If you're wanting to use the same code used for Google and Amazon, that isn't possible as those codes are specific to the accounts in question. If you're asking about two-step verification where the same code is used each time, this is still account specific, and different codes would be created for different accounts. If you want to set up two-step verification you can find the steps for doing so in the article below. Do keep in mind that while two-step verification is secure, two-factor authentication is more secure.

Two-step verification for Apple ID

Have a wonderful week!

HaroldMac wrote:

I have a Security key for 2FA to log into my Google & Amazon accounts.

Why does apple not allow me to use my Security key to log into my apple ID account?

Because Apple does not support use of security keys, while Google and Amazon do. Different companies have different 2 factor login systems.

Apple’s 2 factor codes by default are sent by encrypted icloud notification using Apple’s own icloud notification hardware. Google and Amazon send their 2 factor codes by SMS text or email, which is not a very secure method to send codes (and is why Apple deliberately only uses SMS as a backup system, not the default for sending codes). So in Google and Amazon’s case a security key could be considered better then sending codes as unsecured texts or emails.

But an unchanging security key could also be compromised possibly. Encrypted icloud notifications are transient, encrypted except for the period they are displayed for you to see on your device, and then purged. And the code expires in a few minutes, so another different encrypted notification would have to be sent.

Somebody steals it? And at least as a proof of concept, it can be hacked. At least a couple of years ago there was an article that two hackers presented a mechanism at the annual DEF CON meeting that YubiKey and other RSA tokens could be spoofed and circumvented.

RSA car keys have been known to be hacked. Hardware based security tokens are good yes, but not absolutely perfectly secure either.

Actually, they don’t use iMessage. They use the Apple Push Notifications system (APNS) which is separate from iMessage. The APNS system predates iMessage by 2 or 3 years.

All push notifications, regardless of source app, get funneled through Apple’s own APNS system. So Apple uses it via a users iCloud account for routing to push the 2FA code as a transient popup notification. The entire process is encrypted and transmitted over TSL (which replaced SSL a few years back).