Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Epiktistes
Epiktistes Author
User level: Level 1
19 points

How do security keys interact with other methods for 2FA and account recovery?

If security keys are enabled for an Apple ID, are all other forms of two factor authentication and account recovery disabled?


The question is prompted this statement:

"If you lose all of your trusted devices and security keys, you could be locked out of your account permanently."

(Quoted from "About Security Keys for Apple ID - Apple Support".)


I'm puzzled because after I enabled security keys for my account, the "Passwords & Security" tab in the Settings app still shows:


  • A trusted phone number.
  • An account recovery contact.
  • Recovery Key: on


Will any of these still work if needed? The warning quoted above suggests that they will not, but if this is true, why does the Settings app still show them being active, and why won't it allow me to remove my trusted phone number?


iPhone 14 Pro

Posted on Feb 5, 2023 8:19 PM

Reply
Question marked as Best reply
User profile for user: Epiktistes
Epiktistes Author
User level: Level 1
19 points

Posted on Feb 6, 2023 1:28 PM

Thanks, Chattanoogan, that's a good suggestion, which I would have followed straight away if I were a little less lazy. I wish Apple did a better job of documenting this stuff, but I think it's answered my question.


I've been doing the experiment, and your suspicion is correct -- other authentication methods are still "on file", but are disabled when FIDO keys are linked to the Apple ID. (In particular, the "Get Verification Code" option is no longer visible.) This is what the 2FA dialog looks like with FIDO keys enabled:


Note that there is no fallback option for another 2FA method. There's only "Cancel", which completely aborts the login. Your trusted devices won't show a verification code, but will show a pop-up like this:



If the FIDO keys are removed, the other authentication methods are available once again:

This is why you can survive losing your FIDO keys only if you still have a trusted device, because you need the trusted device to remove the keys from your account. This seems pretty well thought out to me -- the account owner can downgrade security if necessary, but that's not an option for an adversary. I'm exasperated with web sites that are smart enough to allow FIDO for 2FA, but dumb enough to insist on SMS as a fallback. (Looking at you, vanguard.com.)


You need the device passcode to add or remove keys, but not your Apple ID password:


View in context

Similar questions

5 replies
Question marked as Best reply
User profile for user: Epiktistes
Epiktistes Author
User level: Level 1
19 points

Feb 6, 2023 1:28 PM in response to Chattanoogan

Thanks, Chattanoogan, that's a good suggestion, which I would have followed straight away if I were a little less lazy. I wish Apple did a better job of documenting this stuff, but I think it's answered my question.


I've been doing the experiment, and your suspicion is correct -- other authentication methods are still "on file", but are disabled when FIDO keys are linked to the Apple ID. (In particular, the "Get Verification Code" option is no longer visible.) This is what the 2FA dialog looks like with FIDO keys enabled:


Note that there is no fallback option for another 2FA method. There's only "Cancel", which completely aborts the login. Your trusted devices won't show a verification code, but will show a pop-up like this:



If the FIDO keys are removed, the other authentication methods are available once again:

This is why you can survive losing your FIDO keys only if you still have a trusted device, because you need the trusted device to remove the keys from your account. This seems pretty well thought out to me -- the account owner can downgrade security if necessary, but that's not an option for an adversary. I'm exasperated with web sites that are smart enough to allow FIDO for 2FA, but dumb enough to insist on SMS as a fallback. (Looking at you, vanguard.com.)


You need the device passcode to add or remove keys, but not your Apple ID password:


Reply
User profile for user: Chattanoogan
Chattanoogan
User level: Level 7
24,060 points

Feb 6, 2023 6:29 PM in response to Epiktistes

Thanks for the very complete and illustrated update.


Note that any keys used should have their own PINs set.


Otherwise, simple physical possession of the key provides access.


Once I get my own MBP updated to Ventura, I’ll likely experiment with it myself.


Your comment about FIDO2 implementations w/ a FAR less secure “fallback” is well put. It’s all about the “… weakest link …”

Reply
User profile for user: Chattanoogan
Chattanoogan
User level: Level 7
24,060 points

Mar 10, 2023 2:07 PM in response to johnnygoodface

I indeed have FIDO2 PINs set on all of our Yubikeys and yes, they behave exactly as expected in the Apple Security Key environment.


My spouse’s AppleID (our family’s organizer) is now “key secured” although I’m still holding-off on my own at least until I transition my own “work” MBP to Ventura.


It pops-up a basic dialog box box during the authentication process where you simply enter your key’s FIDO2 PIN followed by [Enter].


I configured our own keys w/ a bit of open source Yubikey management software, although there are other possible methods.


For a slightly “deeper dive” into the functionality, see this from Yubico:


https://support.yubico.com/hc/en-us/articles/4402836718866-Understanding-YubiKey-PINs

Reply
User profile for user: Chattanoogan
Chattanoogan
User level: Level 7
24,060 points

Feb 5, 2023 11:41 PM in response to Epiktistes

An interesting question.


Why not simply try logging-in to iCloud from an un-trusted device and see if receiving a code to a “trusted number” is still an option after selecting “Didn’t Receive Code” ?


That won’t answer all of your questions but it would provide a “piece” in understanding the new capability.


It might be that the other authentication methods are still “on file” but simply disabled as long as there are FIDO keys securing the AppleID.


Do your devices still generate 6-digit codes themselves? e.g. in iOS Settings -> AppleID, -> Password & Security -> Get Verification Code


if they DO … do the codes work to logon from an untrusted device?

Reply
User profile for user: johnnygoodface
johnnygoodface
User level: Level 1
65 points

Mar 10, 2023 11:07 AM in response to Chattanoogan

Ouf I didn't think of adding a PIN my security keys! Something I might add later, but it will require some experimenting with because I've never heard of anyone (on the web) adding a PIN to their keys before adding them to their AppleID and it's not even in Apple's instructions.... I mean, when would the login process would ask you for your security PIN - once you connected the key in the USB port or after the "Continue" button? Have you tried that yourself?

Reply

How do security keys interact with other methods for 2FA and account recovery?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up