Apple's iPadOS 16.3 is out with support for security keys

Posted:
in iPad
Apple has released iPadOS 16.3 to the public with support for physical security keys that can add another layer of protection for Apple ID.

iPadOS 16.3 is out now
iPadOS 16.3 is out now


The iPadOS 16.3 update is is available to download by the public. It is a relatively minor release compared to iPadOS 16.2 with its most significant feature being support for security keys.

After a long beta cycle with relatively few beta versions, Apple finally revealed that the update would also bring support for the new HomePod. It also expands Advanced Data Protection to countries outside of the United States.

iPadOS 16.3 releases alongside iOS 16.3, macOS 13.2, and the other operating system updates. The releases are mostly focused on bug fixes and performance improvements.



{"@context":"https://schema.org/","@type":"VideoObject","name":"Everything NEW in iOS 16.3 for iPhone & iPad! Now Available!","description":"Here are all the new features coming to your iPhone and iPad with iOS 16.3 and iPadOS 16.3!","thumbnailUrl":"https://i.ytimg.com/vi/FlmqwjpmPKg/sddefault.jpg","uploadDate":"2023-01-23T18:10:47Z","duration":"PT2M39S","embedUrl":""}

How to install iPadOS 16.3 on the iPad

  • Open the Settings app.
  • Select General.
  • Select Software Update.
  • Select "Update to iPadOS 16.3."
If an iPad is set to automatically update, it will handle downloading and installing iPadOS 16.3 on the user's behalf.

Read on AppleInsider

Comments

  • Reply 1 of 6
    SHKSHK Posts: 20member
    I'm not "getting" the benefit to Security Keys over two factor authentication, which is easy to use and effective.
    I hope AI does a story like "who needs Security Keys" to help me understand it better.
  • Reply 2 of 6
    SHK said:
    I'm not "getting" the benefit to Security Keys over two factor authentication, which is easy to use and effective.
    I hope AI does a story like "who needs Security Keys" to help me understand it better.

    Depends on the nature of the 2FA.  A text or an email are the worst possible options because of the inherent insecurity of those systems.  An authenticator app is only as good as the entity who created the app.

    A Yubikey is just a number, albeit a moderately long one.  And it never changes.
    dewme
  • Reply 3 of 6
    dewmedewme Posts: 4,647member
    SHK said:
    I'm not "getting" the benefit to Security Keys over two factor authentication, which is easy to use and effective.
    I hope AI does a story like "who needs Security Keys" to help me understand it better.

    Depends on the nature of the 2FA.  A text or an email are the worst possible options because of the inherent insecurity of those systems.  An authenticator app is only as good as the entity who created the app.

    A Yubikey is just a number, albeit a moderately long one.  And it never changes.
    I totally agree that a detailed article about all of the MFA options available to Apple device owners would be greatly appreciated. There are definately some benefits and pitfalls to every available option. For example, if you only use a hardware key and lose the key without having a backup or way to restore you authentication keys to a replacement device, you could be screwed. 
    edited January 23
  • Reply 4 of 6
    dewmedewme Posts: 4,647member
    It would be interesting to see how the security capabilities outlined in the article linked below map to technology and capabilities that Apple is now making available. 


    Obviously the least secure capability is username-password and the most secure capability is associated with the use of hardware security keys like the YubiKey, which Apple now supports. 

    Where does Apple’s PassKey fit? 
    Where do password managers like 1Password fit? Where do hardware keys fit for different types of users? 

    For example, it sounds like Apple allows users to use a properly prepared hardware key to unlock their iCloud account should it get accidentally or intentionally locked. This alone may be reason enough for some users to invest in a couple of hardware keys. 

    Apple seems to have a lot of information in a lot of different places. Unfortunately I haven’t come across a single article that connects more of the dots like the Yubicon article does. 
  • Reply 5 of 6
    JSFJSF Posts: 2member
    SHK said:
    I'm not "getting" the benefit to Security Keys over two factor authentication, which is easy to use and effective.
    I hope AI does a story like "who needs Security Keys" to help me understand it better.
    "Security Keys" are a generic name for FIDO2.  FIDO2 is a strong, phishing resistant form of 2FA/MFA.  The older styles of MFA, OTP for example, use a cyptographic secret that is the same on both sides.  The same secret key is in the Authentication app (google authenticator, for example) AND the back end service.  If that service is compromised and that secret is taken by hackers, they can then login as you.  A hacker can also build a fake site that looks just like the site you are trying to login to and capture your OTP secret to quickly replay and login as you.  That OTP secret is in no way tied to the website you are logging into.  You might be redirected to www.G00GLE.com (instead of www.GOOGLE.com) so that the hacker can intercept your login info.

    FIDO2 is a public/private key cryptographic MFA solution.  That means that the Security Key generates the public and private keys ON The Security Key.  The Public key is sent up to the website and the Private Key is ONLY stored on the security key and can NEVER be exported.  This means that you cannot login without your security key as that private key is only stored on the security key.  This is a MUCH stronger method of MFA.  It can also be PIN protected so that you must enter your PIN to use the Key to login.  IT also is phishing resistant. The web site URL data and AppID is baked into the cryptographic secret so that if you do go to www.G00GLE.com, the authentication will not work.  Again much more secure than the other types of MFA.

    You might have heard of PassKeys.  That is a technology pushed by Apple, Google, and Microsoft that is based on FIDO2.  It is essentially the software version of FIDO.  The public and private keys are generated on your computer or phone.  They are then stored in you iCloud keychain and synchronized across your Apple Devices.  The credentials store in iCloud Keychain are protected by a biometric or a PIN.   Passkeys are a good solution, but I prefer an actual Security Key so that my private keys are secured.  Not that Apple's concept is bad, but if they were hacked the private key MIGHT be exposed to a hacker.

    I hope that makes sense.
    muthuk_vanalingam
  • Reply 5 of 6
    JSFJSF Posts: 2member
    SHK said:
    I'm not "getting" the benefit to Security Keys over two factor authentication, which is easy to use and effective.
    I hope AI does a story like "who needs Security Keys" to help me understand it better.
    There are a number of MFA capabilities that are available.  Most are not really secure and susceptible to Phishing.  SMS Text MFA can be intercepted by a hacker via a number of methods, such as SIM Swapping and by a vulnerability in the SS7 protocol used by almost all Cell Phone technologies. 

    OATH OTP  (Google Authenticator etc.) is susceptible to Phishing and uses older, symmetric cryptography. An end user can be tricked into revealing their login credentials and OTP code by a phishing attempt.  The hacker sends the user a link to a website.  The nend user clicks on the link thinking it's a legitimate site.  But, the hacked set up www.g00gle.com (google with 2 zero's).  When the user clicks on the link and enters their login credentials and OTP, the hacker uses that information to quickly login to www.google.com with that users information.  There is link between the website and the OTP code generated so the user has not check and balance that the site is legitimate.

    Security Keys use the newer FIDO2 technology.  FIDO2 uses asymmetric cryptography.  Think PGP or X.509 Certificates.  There is a public key and a private key that are generated on the Security Key when the user registers it with a service.  The public key is sent up to the service and stored with the User Identity.  The Private key ONLY exists on the Security Key and can NEVER be exported.  We don't care if the public key is exposed as the Private key is required to authenticate and that key is only on the Security Key.  There is also anti-phishing technology built into this process.  When the public/private key pair is generated, a AppID and the URL are used to create the key pair and that info is cryptographically bound to the key pair.  IF you do go to www.g00gle.com, the cryptographic hash won't match and the login will fail.  Currently, FIDO2 is the most secure MFA method available.  Yubico has a great overview of FIDO2 here: WebAuthn (yubico.com) (FIDO2 is the umbrella that consists of both CTAP and WebAuthn)

    You may have heard the phrase that Apple, Google, and Microsoft are pushing, PassKeys.  Passkeys are FIDO technology. Instead of having the private key on a Security key, like a YubiKey, Passkeys store the private key on a phone or computer in a keychain.  Apple, for example, uses iCloud Keychain to store the FIDO private key.  That private key is then synchronized across multiple devices via iCloud sync.  This solves two problems, but introduces potential security issues.  When using a security key, you should register AT LEAST two keys with any service so that if you lose you key, you are not locked out of your account.  The other main issue is that now the user has to ensure that they have a security key with them, incase they need to login again.  If the user does not have their security key with them, they won't be able to login.  Personally I have a YubiKey on my key chain and carry it with me whenever I leave the house.

    With Passkeys, the main security concern is that the private key is now shared across devices.  This might expose the private key if a hacker got into iCloud.  I prefer to use a Security Key as I err on the side of caution.  I might use PassKeys for lower value accounts, but will always use a Security key for my email accounts and my financial accounts (AND my iCooud account...).

    Over all, Security Keys are a easy to use and very secure method of MFA.  As Passkeys are built in FIDO technology, the are a reasonable solution as well.  

    Sorry for writing a novel.  Hopefully that helped.
    muthuk_vanalingam
Sign In or Register to comment.