[jtdressel]

This is excellent news.

> At least two FIDO® Certified

I'm glad to see that they not only support, but require the use of multiple keys.

> iOS 16.3, iPadOS 16.3, or macOS Ventura 13.3, or later on all of the devices where you're signed in with your Apple ID.

and

> During set up, you're signed out of inactive devices, which are devices associated with your Apple ID that you haven't used or unlocked in more than 90 days. To sign back into these devices, update to compatible software and use a security key. If your device can't be updated to compatible software, you won't be able to sign back in.

I'm not ready to set this up, since I still use a few Big Sur and Monterey machines.

[hrpnk]

> If your device can't be updated to compatible software, you won't be able to sign back in.

Unless there will be a warning when adding the keys, this can lead to many support requests they will get from users who did not read this part.

[pram]

There was a warning when turning Advanced Data Protection. It wouldn’t let you continue until the all the devices signed into iCloud were updated.

[hrpnk]

Nice. Great to hear that it's built the way it should be!

[jackson1442]

They've been pretty good about this in the past, with iCloud E2EE my phone refused to let me enable it without updating all associated devices.

[Gigachad]

How has this feature been working for you. It's apparently not available in my country but I'm looking forward to trying it.

[jackson1442]

Haven't noticed any difference except the process to access iCloud on the web is a little different, overall it works great across all my devices.

[_cenw]

I haven't noticed a difference. Enabling icloud.com and giving it even temporary keys seems like quite the downside, so I didn't try that.

[kevinbowman]

It wasn't available in my country (UK) yesterday, but I just checked after updating to 16.3 and it now says I can enable it.

[WorldMaker]

> I'm not ready to set this up, since I still use a few Big Sur and Monterey machines.

Yeah, unable to use iCloud on Windows is a big show stopper for me right now. I appreciate what Apple software we get on Windows and I've heard the Windows 11-only previews of updated Apple software are getting pretty good now. (I don't have Windows 11 so can't try them for myself.) But I'm very aware they are always going to lag a bit compared to their i-device and macOS versions. Including apparently on security support.

[xoa]

>I'm glad to see that they not only support, but require the use of multiple keys.

Yes, and also that they support up to 6 of them. That's a very solid number enabling a lot of decent (if basic) backup practices. A number of keys for regular use, a few put in a safe deposit box or safe or the like. Or if (as I'd assume) keys can be reused between accounts, then a family could each have a key, with all keys registered to all accounts, and then 1 or 2 in a safe spot as backup. Everyone still is protected by their password, but if they lose keys/devices then any other family member could be their live backup (and having the majority of keys constantly under control and in active use is good in terms of immediately noticing if one is lost or breaks and so on).

While I know it's definitely not Apple to add extra complexity, if anything it'd be cool if they leveraged this a bit farther even. Would be neat for example to support m of n restore, where if key/password are lost (somebody dies in an accident for example) then any 4 of 6 (or 3 of 6 or whatever) remaining keys can be used to get access. That would be a useful hedge, while not needing to offer unlimited trust to any single person (there could also be a few other safety measures like it taking a week and sending the account owner alerts in the mean time).

>During set up, you're signed out of inactive devices, which are devices associated with your Apple ID that you haven't used or unlocked in more than 90 days. To sign back into these devices, update to compatible software and use a security key. If your device can't be updated to compatible software, you won't be able to sign back in.

My only real disappointment with this is that Apple didn't implement some sort of "Purchases Only"/"iCloud Lite" functionality for old devices. I've still got an iPhone 6 and a few others because a lot of cool apps (both productivity and games) I love were dropped by iOS quite a long time ago. The devices are dedicated app runners, no communications, no syncing needed, but not having them attached to the same Apple ID means the old purchases would all be gone which kinda negates the point. And you can't transfer purchases between IDs, nor purchase now gone apps, so there isn't anyway to just setup a new one not even for money. Maybe it's possible to remove them from the iCloud side while they have WiFi disabled and then keep them offline forever? Still, kinda shitty :(. Though perhaps that's more a symptom of continued from-the-start weaknesses in the Apple ID system. Not being able to move and consolidate purchases has been a huge damn stupid thorn in people's sides almost since it became possible to start purchasing stuff with them.

[themagician]

I found a somewhat solution to the latter problem. If you have an Apple One Family Plan, and an empty slot, you can just create a legacy user with a new Apple ID and add it as a family member. This account will inherit all the purchases and subscriptions, but it can have a different security policy.

[easton]

Can you not just sign into the iTunes Store without signing into iCloud? They’ve always supported that for legacy users that shared a single Apple ID for all their purchases with their family.

[themagician]

Nope. With E2EE, and I believe with Security Keys, you must be running a supported OS on supported hardware or you can’t sign in with your Apple ID for anything.

[_rs]

Any confirmation if keys can be reused between accounts?

[jgrahamc]

For some reason that says macOS Ventura 13.3 which doesn't seem to be available: 13.2 was released yesterday. But 13.2 does allow adding keys.

[snarf21]

I really wish iOS devices had FIDO (etc) built in. I wish I could use my other iDevices as a FIDO device.

[kps]

FIDO® Certified what? CTAP2? Apple doesn't seem to say.

[arianvanp]

Looking at the AppleID js source code they support both CTAP2 and U2F

[kps]

There are reports on Apple support pages¹ and elsewhere² that the ‘blue’ series Yubikey doesn't work.

¹ https://discussions.apple.com/thread/254582672

² https://www.reddit.com/r/yubikey/comments/10jll3q/security_k...

[greggsy]

Doesn’t support native smart card (PIV) mode.