Apple (AAPL) is upping the ante on user security with three new initiatives that it says will protect everyone from the average consumer to high-value hacker targets like diplomats and human rights activists.
The new security features—Security Keys, iMessage Contact Key Verification, and Advanced Data Protection—will allow you to do things like ensure who you’re chatting with via iMessage is actually who they claim to be and lockdown their iCloud accounts.
“Our security teams work tirelessly to keep users’ data safe, and with iMessage Contact Key Verification, Security Keys, and Advanced Data Protection for iCloud, users will have three powerful new tools to further protect their most sensitive data and communications,” Apple’s senior VP of software engineering, Craig Federighi, said in a statement.
Apple says that no one hacking incident influenced its decision to create the new security features. In the past, however, organizations like NSO Group have sold software that was then used by governments to break into dissidents’ iPhones. The hope is that these improved security measures will significantly cut back on such attacks.
Security Keys, which will be available globally in 2023, ensure that you’re the only person who can log into your iCloud account by requiring that you use both your password and a physical key to access the service. Standard versions of two-factor authentication let you log into your account by entering your password and then approving the move via text message or a secondary app.
But sophisticated hacking operations can use things like spear phishing attacks to gain access to your secondary apps. In some instances, hackers are able to clone victims’ SIM cards, giving them the ability to receive confirmation texts required to sign into accounts protected by two-factor authentication.
With Security Keys, you’ll need to connect an actual key to your iPhone, iPad, or Mac that’s tied to your account to approve your login. The idea is that by requiring a user to use a physical hardware key, Apple is eliminating the possibility that a hacker who stole a user’s secondary app password or cloned their SIM card can get into their victim’s account.
The only way to get around the hardware key is to physically steal it from the victim. And since hackers generally want to be as discreet as possible, a real-world confrontation with someone is likely out of the question.
In addition to Security Keys, Apple is rolling out iMessage Contact Key Verification. The feature, which will be available globally next year, is specifically meant for the kind of nation-state hacks in which attackers gain entry to the servers that route iMessage messages across the web. While iMessage is end-to-end encryption, Apple says that well-funded hackers could access routing servers and spy on individuals’ iMessages.
To prevent that, iMessage Contact Key Verification provides a pop up at the bottom of your iMessage telling you that an unauthorized device has been added to the account of the person you’re chatting with.
If you want to make sure you’re speaking to the correct person from the start of the conversation, you can also compare your Contact Verification Codes to determine whether your contact is who they claim to be. Apple says you can share each other's codes in person, over FaceTime, or another secure calling service.
Finally, there’s Advanced Protection for iCloud. Launching in the U.S. this year and globally in early 2023, the security option is meant to ensure that your iCloud data is only accessible through your device. Currently, data you save in iCloud is encrypted, but Apple holds on to a separate decryption key so that if you get locked out of your account, the company can help you get back in.
Now Apple is giving you the ability to take those keys back, ensuring that the only way to gain access to things like your iCloud backup, photos, notes, and health data is via your own device. The purpose of all of this is to ensure that even in the event that Apple’s iCloud servers are hacked, your data won’t be accessible, since you’re the only person with the keys to unlock it. To hackers, it will simply look like an unintelligible mess.
Here’s the rub, though. If Apple doesn’t have access to your keys, you won’t be able to turn to them to regain access to your iCloud account if you’re ever locked out. In that case, you’ll need to set up a method to recover the account, such as a recovery passcode you write down and keep at home or a contact you can reach out to to help.
More from Dan
Got a tip? Email Daniel Howley at firstname.lastname@example.org. Follow him on Twitter at @DanielHowley.