You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Security key to log into my apple account?

I have a Security key for 2FA to log into my Google & Amazon accounts.


Why does apple not allow me to use my Security key to log into my apple ID account?


Posted on Mar 22, 2021 6:24 PM

Reply
Question marked as Top-ranking reply

Posted on Mar 23, 2021 1:43 PM

Most here are other users like you (with the exception of sterling r), and we don't know why Apple makes certain decisions.


At present, Apple does not offer support for hardware security tokens within the Apple ID two-factor authentication implementation.


The closest Apple gets to hardware token authentication are cases where you can authenticate using an Apple Watch. Which isn't want you're looking for here. Apple usually uses iMessage for the second factor, though phone calls, and SMS messages can be used. That iMessage message often sent to iPad, iPhone, Watch, or some other "trusted device".


And yes, SMS is known to be weak.


If you'd like to see hardware token authentication added, log some feedback for Apple: Product Feedback - Apple


6 replies
Question marked as Top-ranking reply

Mar 23, 2021 1:43 PM in response to HaroldMac

Most here are other users like you (with the exception of sterling r), and we don't know why Apple makes certain decisions.


At present, Apple does not offer support for hardware security tokens within the Apple ID two-factor authentication implementation.


The closest Apple gets to hardware token authentication are cases where you can authenticate using an Apple Watch. Which isn't want you're looking for here. Apple usually uses iMessage for the second factor, though phone calls, and SMS messages can be used. That iMessage message often sent to iPad, iPhone, Watch, or some other "trusted device".


And yes, SMS is known to be weak.


If you'd like to see hardware token authentication added, log some feedback for Apple: Product Feedback - Apple


Mar 23, 2021 12:38 PM in response to HaroldMac

Hello HaroldMac,


It sounds as though you're wanting to use two-factor authentication with your Apple ID? If so, you can set up that feature using the steps outlined in the following article. When two-factor authentication is set up, you would be sent a new verification code each time you sign in to your Apple ID to a trusted number and/or trusted devices.


Two-factor authentication for Apple ID


If you're wanting to use the same code used for Google and Amazon, that isn't possible as those codes are specific to the accounts in question. If you're asking about two-step verification where the same code is used each time, this is still account specific, and different codes would be created for different accounts. If you want to set up two-step verification you can find the steps for doing so in the article below. Do keep in mind that while two-step verification is secure, two-factor authentication is more secure.


Two-step verification for Apple ID


Have a wonderful week!

Mar 23, 2021 12:56 PM in response to HaroldMac

HaroldMac wrote:

I have a Security key for 2FA to log into my Google & Amazon accounts.

Why does apple not allow me to use my Security key to log into my apple ID account?

Because Apple does not support use of security keys, while Google and Amazon do. Different companies have different 2 factor login systems.


Apple’s 2 factor codes by default are sent by encrypted icloud notification using Apple’s own icloud notification hardware. Google and Amazon send their 2 factor codes by SMS text or email, which is not a very secure method to send codes (and is why Apple deliberately only uses SMS as a backup system, not the default for sending codes). So in Google and Amazon’s case a security key could be considered better then sending codes as unsecured texts or emails.


But an unchanging security key could also be compromised possibly. Encrypted icloud notifications are transient, encrypted except for the period they are displayed for you to see on your device, and then purged. And the code expires in a few minutes, so another different encrypted notification would have to be sent.

Mar 23, 2021 1:15 PM in response to Michael Black

Thanks for the reply.


'Apple’s 2 factor codes by default are sent by encrypted icloud notification using Apple’s own icloud notification hardware'.


I dont use icloud & I have not set up icloud. I login by my Macbook Pro only with my brower. I use my Yubikey [security key] & have a backup, incase I lose one.


How could my Yubikey be compromised?


Mar 23, 2021 1:24 PM in response to HaroldMac

Somebody steals it? And at least as a proof of concept, it can be hacked. At least a couple of years ago there was an article that two hackers presented a mechanism at the annual DEF CON meeting that YubiKey and other RSA tokens could be spoofed and circumvented.


RSA car keys have been known to be hacked. Hardware based security tokens are good yes, but not absolutely perfectly secure either.

Mar 23, 2021 4:17 PM in response to MrHoffman

Actually, they don’t use iMessage. They use the Apple Push Notifications system (APNS) which is separate from iMessage. The APNS system predates iMessage by 2 or 3 years.


All push notifications, regardless of source app, get funneled through Apple’s own APNS system. So Apple uses it via a users iCloud account for routing to push the 2FA code as a transient popup notification. The entire process is encrypted and transmitted over TSL (which replaced SSL a few years back).

Security key to log into my apple account?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.