Before you take your phone to Fort Knox, let us walk you through each option and help you decide if you need these features.
Security keys: it is better not to lose the dongles
Now you should know how important it is to enable two-factor authentication for all sensitive accounts (if you don’t know how to do this, start here). This extra layer of security is on top of your password and means you get a code – via app or text – which you enter to confirm your identity.
A physical security key is the next level up and replaces security codes. These are small dongles that usually look like thumb drives and connect to your device through a port, via near field communication (known as NFC) or by displaying a code that you enter manually. If you have this key, it confirms to the other party that you are who you claim to be.
Why it exists: There are certain hacks – technical and through regular trickery like phone calls – that can be used to steal your text-based two-factor authentication codes and break into your accounts. By relying on a physical device for this second form of confirmation, security keys reduce the risk of someone breaking into your accounts.
How to activate it: First, buy your two security keys. Apple supports FIDO-certified keys, and the most well-known manufacturer is Yubico, which sells options that can plug into an iPhone’s Lightning port. To pair them with your phone, make sure you’re using iOS 16.3, then go to Settings → Your account (your name at the top of the screen) → Password and security → Add security keys, then follow the instructions .
Who it is for: Security keys are not necessary for most iPhone users. They are typically used by people considered to be at higher risk of targeted attacks, such as people trying to break into their social networks or cloud accounts. Apple specifically names celebrities, journalists, and government workers as its target audience.
Many non-famous people are at risk of being targeted by these types of attacks, says Cooper Quintin, a senior public interest technologist with the digital rights advocacy group. the Electronic Frontier Foundation. Examples include people who have access to material information; these include executives or system administrators of large corporations, activists in countries with weak freedom of expression and media protections, and anyone concerned about a stalker or violent partner.
Many non-public people also find the keys easier to use than tons of text codes.
But one of the reasons not to switch to physical security keys, says Caroline Wong, director of strategy at cybersecurity testing firm Cobalt, is that keys are something you need to keep track of, and they can be lost, excluding you from your accounts. (That’s why Apple requires you to have two keys and advises you to store them in separate places, in case one is lost or stolen.)
“If you have it on you, so much the better. If you don’t, then you’re out of luck. For the average consumer, this is a bigger issue than using SMS two-factor authentication,” Wong says. “For your average user, it’s completely unnecessary. If you’re Joe Biden or Taylor Swift, then yes, you should probably do those things.
Advanced data protection: no more encryption
This new feature increases the types of data that will be end-to-end encrypted by Apple, which means that when data is stored in iCloud, it cannot be accessed in the event of a data breach, or by Apple itself at the request of a government or even of the user. Advanced Data Protection was launched in the US last year, but with this iOS update, it will be available to everyone around the world. Some types of data were already end-to-end encrypted, like your health data, but this feature adds device backups, message backups, iCloud Drive, Notes, and Photos. (Your Mail and Contacts app data is not included.)
Why it exists: In the event of a breach in the cloud, criminals would not be able to access the majority of the data you have stored there. It also prevents Apple from being forced to hand over iCloud data such as Messages conversation backups at the request of governments or law enforcement, as the company has no way of accessing this information. While Security Keys protect you from targeted attacks, Advanced Data Protection is more of a defense against major breaches.
How to activate it: Make sure you’re using iOS 16.3, then go to Settings → Your Account (your name at the top of the screen) → iCloud → Advanced Data Protection. Make sure to set up account recovery here. It lets you add a recovery contact (a family member, for example) and get a 28-character recovery key. These will help you access your account if something goes wrong. Next, go back and tap to enable advanced data protection.
Who it is for: Anyone can enable this feature for added peace of mind, but you should be prepared for the added responsibility. If you lose access to your devices and recovery options, Apple has no way to access your data for you. However, there will be no daily differences that you will notice as an iPhone user.
“Advanced Data Protection is absolutely worth enabling,” says EFF’s Quintin. “Apple has done a great job of creating several ways to recover your account so you don’t lose access to your data.”
Lock mode: not for everyone
Apple recently added an option called Lockdown Mode specifically for its most high-risk and high-profile iPhone users. It restricts a variety of apps and features to minimize ways outside attackers could compromise your device, especially through vulnerabilities that Apple itself has yet to discover. Use it only if you have legitimate reasons to be concerned about targeted attacks and the security of your devices, as the setting comes with some big trade-offs. For example, it blocks many attachments and some websites may not work.
Things everyone should do to stay safe
Enabling advanced data protection or using a passkey are great options you should consider depending on your level of risk. However, there are more important security measures everyone should take.
- Update your software: Unknown software vulnerabilities can be exploited by criminals. Update your phone and computer operating systems as soon as new versions are available, and turn on automatic updates for any apps you use.
- Have strong passwords: Use unique, strong, and long passwords for all your accounts, including Apple and Google, all social media, and anything related to finances. The best passwords can be impossible to remember, so consider using a password manager like 1Password or Dashlane.
- Enable Two-Factor Authentication: Enable it for anything that will allow it, including your smartphone, Facebook profile, bank account, and Google Docs account where you write down all your hopes and dreams.