Why have FIDO/Security keys?

In evaluating the relative advantages and disadvantages of using Security Keys with your Apple devices, this discussion may also be of interest to you…:

YubiKey authentication - Apple Community

Security Keys can provide a useful additional level of security for your AppleID account in some circumstances - however, they are not necessarily a good choice for some (if not the majority) of users. They are certainly not for everyone. Be aware that if anyone can gain access to a trusted device - and have knowledge of your device Passcode - all protections offered by Security Keys can be negated in some circumstances.

In addition to all of your own devices meeting the required minimum requirements (iOS/iPadOS 16.3 or later), your trusted nominated Recovery Contact(s) must also have suitable Apple devices - although they do not necessarily need to be using Security Keys themselves.

You should note that if your Security Keys are lost, you are entirely reliant upon your nominated Recovery Contacts to assist with recovering access to your AppleID account. By design, neither Apple nor anyone else can access or reset your account; if you lose access to your account, loss of access will be permanent - along loss of all associated data - and all Apps and subscriptions purchased from the AppleID account.

You can find a list of supported Keys here:

About Security Keys for Apple ID - Apple Support

You must also have at least two (many would recommend three) compatible Security Keys - and this alone carries a cost.

The iPad User Guide provides useful information about Security Keys and other aspects of your iPad. Here is a direct link to the relevant section of the Guide:

Use security keys to sign in to your Apple ID account on iPad - Apple Support

Log feedback with Apple, as yes, a trusted device—the caching of token trust—does undermine the aggregate security provided by tokens. Somewhat.

Product Feedback - Apple

The caching avoids the need to use the token nearly as often. (There are always trade-offs with security, of course.)

Pending any hypothetical changes by Apple, such as added customization options for trusted device management, or adding a configurable mechanism to selectively expire the caching of the trusted-device status, or other such, expect to need to quickly mark a device as lost or stolen. One way to do that is with Apple Watch.

Where tokens help is when you can have a few tokens around, should the available (trusted) devices all be lost or stolen. Or marked as such.

And tokens entirely avoids some risks with two-factor communications, such as SIM cloning or a compromised carrier or compromised carrier PIN, a shared or otherwise insecure trusted telephone line, or (as has happened in a few cases) SS7-based SMS shenanigans.

spjordan1432 wrote:

A simple suggestion for Apple: if I add security keys, require one to access/change anything under "Password and Security" or maybe require it for anything under the top level "Apple ID/Name" settings.

Apple doesn't read here in this user-to-user forum for feedback or suggestions. However, you can let them know your thoughts here:

Product Feedback - Apple

This post may interest you

How can I get apple security key - Apple Community