Apple's iPadOS 16.3 is out with support for security keys
Apple has released iPadOS 16.3 to the public with support for physical security keys that can add another layer of protection for Apple ID.
iPadOS 16.3 is out now
The iPadOS 16.3 update is is available to download by the public. It is a relatively minor release compared to iPadOS 16.2 with its most significant feature being support for security keys.
After a long beta cycle with relatively few beta versions, Apple finally revealed that the update would also bring support for the new HomePod. It also expands Advanced Data Protection to countries outside of the United States.
iPadOS 16.3 releases alongside iOS 16.3, macOS 13.2, and the other operating system updates. The releases are mostly focused on bug fixes and performance improvements.
{"@context":"https://schema.org/","@type":"VideoObject","name":"Everything NEW in iOS 16.3 for iPhone & iPad! Now Available!","description":"Here are all the new features coming to your iPhone and iPad with iOS 16.3 and iPadOS 16.3!","thumbnailUrl":"https://i.ytimg.com/vi/FlmqwjpmPKg/sddefault.jpg","uploadDate":"2023-01-23T18:10:47Z","duration":"PT2M39S","embedUrl":"
"}
Read on AppleInsider
iPadOS 16.3 is out now
The iPadOS 16.3 update is is available to download by the public. It is a relatively minor release compared to iPadOS 16.2 with its most significant feature being support for security keys.
After a long beta cycle with relatively few beta versions, Apple finally revealed that the update would also bring support for the new HomePod. It also expands Advanced Data Protection to countries outside of the United States.
iPadOS 16.3 releases alongside iOS 16.3, macOS 13.2, and the other operating system updates. The releases are mostly focused on bug fixes and performance improvements.
"}
How to install iPadOS 16.3 on the iPad
- Open the Settings app.
- Select General.
- Select Software Update.
- Select "Update to iPadOS 16.3."
Read on AppleInsider
Comments
I hope AI does a story like "who needs Security Keys" to help me understand it better.
FIDO2 is a public/private key cryptographic MFA solution. That means that the Security Key generates the public and private keys ON The Security Key. The Public key is sent up to the website and the Private Key is ONLY stored on the security key and can NEVER be exported. This means that you cannot login without your security key as that private key is only stored on the security key. This is a MUCH stronger method of MFA. It can also be PIN protected so that you must enter your PIN to use the Key to login. IT also is phishing resistant. The web site URL data and AppID is baked into the cryptographic secret so that if you do go to www.G00GLE.com, the authentication will not work. Again much more secure than the other types of MFA.
You might have heard of PassKeys. That is a technology pushed by Apple, Google, and Microsoft that is based on FIDO2. It is essentially the software version of FIDO. The public and private keys are generated on your computer or phone. They are then stored in you iCloud keychain and synchronized across your Apple Devices. The credentials store in iCloud Keychain are protected by a biometric or a PIN. Passkeys are a good solution, but I prefer an actual Security Key so that my private keys are secured. Not that Apple's concept is bad, but if they were hacked the private key MIGHT be exposed to a hacker.
I hope that makes sense.
OATH OTP (Google Authenticator etc.) is susceptible to Phishing and uses older, symmetric cryptography. An end user can be tricked into revealing their login credentials and OTP code by a phishing attempt. The hacker sends the user a link to a website. The nend user clicks on the link thinking it's a legitimate site. But, the hacked set up www.g00gle.com (google with 2 zero's). When the user clicks on the link and enters their login credentials and OTP, the hacker uses that information to quickly login to www.google.com with that users information. There is link between the website and the OTP code generated so the user has not check and balance that the site is legitimate.
Security Keys use the newer FIDO2 technology. FIDO2 uses asymmetric cryptography. Think PGP or X.509 Certificates. There is a public key and a private key that are generated on the Security Key when the user registers it with a service. The public key is sent up to the service and stored with the User Identity. The Private key ONLY exists on the Security Key and can NEVER be exported. We don't care if the public key is exposed as the Private key is required to authenticate and that key is only on the Security Key. There is also anti-phishing technology built into this process. When the public/private key pair is generated, a AppID and the URL are used to create the key pair and that info is cryptographically bound to the key pair. IF you do go to www.g00gle.com, the cryptographic hash won't match and the login will fail. Currently, FIDO2 is the most secure MFA method available. Yubico has a great overview of FIDO2 here: WebAuthn (yubico.com) (FIDO2 is the umbrella that consists of both CTAP and WebAuthn)
You may have heard the phrase that Apple, Google, and Microsoft are pushing, PassKeys. Passkeys are FIDO technology. Instead of having the private key on a Security key, like a YubiKey, Passkeys store the private key on a phone or computer in a keychain. Apple, for example, uses iCloud Keychain to store the FIDO private key. That private key is then synchronized across multiple devices via iCloud sync. This solves two problems, but introduces potential security issues. When using a security key, you should register AT LEAST two keys with any service so that if you lose you key, you are not locked out of your account. The other main issue is that now the user has to ensure that they have a security key with them, incase they need to login again. If the user does not have their security key with them, they won't be able to login. Personally I have a YubiKey on my key chain and carry it with me whenever I leave the house.
With Passkeys, the main security concern is that the private key is now shared across devices. This might expose the private key if a hacker got into iCloud. I prefer to use a Security Key as I err on the side of caution. I might use PassKeys for lower value accounts, but will always use a Security key for my email accounts and my financial accounts (AND my iCooud account...).
Over all, Security Keys are a easy to use and very secure method of MFA. As Passkeys are built in FIDO technology, the are a reasonable solution as well.
Sorry for writing a novel. Hopefully that helped.