How to use Apple’s advanced iCloud security tools

Apple

recently
rolled
out
new
iCloud
security
features
that
could
help
protect
mobile
professionals
when
they’re
on
the
road.
The
features
include
better
iCloud
data
security,
improved
iMessage
security,
and
more.

Here
is
how
to
use
these
new
iCloud
protections.

Secure
your
digital
assets

No
one
should
doubt
that
protecting
personal
or
enterprise
data
has
become
more
important
than
ever.
Apple
introduced

Lockdown
Mode
for
iCloud
in
2022,
following
this
up
with

even
more
protections
in
December
and,
most
recently,
introducing

free
privacy
and
security
sessions
in
Apple
retail
stores
in
2023.

The
December
collection
of
iCloud
privacy
protection
tools
include:

Advanced
Data
Protection
for
iCloud
(available
today
in
some
locations).
iMessage
Contact
Key
Verification
(set
to
debut
later
this
year).
Security
Keys
for
Apple
ID.

What
do
they
do,
and
how
do
you
use
them?

Advanced
Data
Protection
for
iCloud

What
it
is

Apple
has
always
encrypted

some
of
the
information
you
store
in
iCloud
to
protect
it
from
prying
eyes.
With
the
introduction
of
iOS
16.3
and
macOS
13.2,
it
locked
things
down
even
further,
protecting
more
categories
of
information
and
making
it
possible
to
decrypt
that
data
only
on
trusted
devices.
The
caveat
emptor
is
that
once
you
put

Advanced
Data
Protection
for
iCloud
in
place,
you
must
also
set
up
an
alternate
recovery
method
(device
passcode,
recovery
contact
or
recovery
key)
in
case
you
lose
access
to
your
account,
as
Apple
cannot
help
you
when
you
enable
protection
at
this
level.

Advanced
Data
Protection
for
iCloud
encrypts
the
following
additional
sets
of
data
that
are
not
otherwise
protected:
Device
backups,
Messages
backups,
iCloud
Drive,
Photos,
Notes,
Siri
Shortcuts,
Safari
Bookmarks,
Reminders,
Voice
Memos,
and
Wallet
Passes.
These
join
the
14
categories
of
data
iCloud
has
always
encrypted,
including
Keychain
and
Health
data.

Mail,
Contact,
and
Calendar
remain
unprotected,
as
they
need
to
interoperate
with
other
systems

How
to
use
it

You
need
to
opt
in
to
use
Advanced
Data
Protection
for
iCloud.
In
part,
this
is
because
you
must
also
create
a
recovery
method
when
you
do;
Apple
is
unable
to
create
that
for
you.
As
noted,
recovery
methods
include
your
device
password,
a
recovery
contact,
or
a
recovery
key.
Advanced
Data
Protection
for
iCloud
will
not
be
initiated
until
you
create
that
recovery
method.
You
must
first
update
all
the
devices
you
have
registered
to
iCloud
to
the
latest
iterations
of
the
operating
system.
In
the
event
you
cannot
do
so
you
will
need
to
remove
them
from
your
account
as
they
will
be
unable
to
support
encryption.
To
set
this
up,
open
iCloud>Advanced
Data
Protection
and
turn
it
on.
You
will
be
asked
to
create
a
Recovery
Contact
or
Recovery
Key
to
use
if
you
lose
access
to
your
account.
The
recovery
key
is
a
28-character
code
that
must
be
kept
in
a
very
safe
place.
You
may
never
need
that
code,
but
if
you
do,
you
want
to
ensure
you
know
where
it
is.
You
also
never
want
it
to
fall
into
the
wrong
hands.
Once
you
have
created
your
recovery
method
and
enabled
Advanced
Data
Protection
for
iCloud,
all
your
information
will
be
heavily
encrypted
and
becomes
far
more
secure.
If
you
choose
to
switch
it
off
then
your
device
will
upload
the
encryption
keys
to
Apple’s
servers
and
return
to
iCloud’s
usual
standard
protection.

iMessage
Contact
Key
Verification

What
it
is

iMessages
between
Apple
users
have
always
been
end-to-end
encrypted,
making
it
very
difficult
for
man-in-the-middle
attacks
of
message
surveillance,
as
without
the
decryption
cipher
messages
are
gibberish
until
decoded.
It
isn’t
impossible
to
decode
these
messages,
of
course,
but
it
is
very
complex,
expensive,
and
most
people
don’t
need
to
worry
about
being
targeted
in
such
a
way.

But
some
do.
Think
about
journalists,
human
rights
activists,
high-value
business
users,
ministers,
and
others
whose
communications
may
have
significant
importance.

iMessage
Contact
Key
Verification
is
for
just
these
users.
It
will
alert
them
if
it
suspects
a
messaging
session
is
being
spied
on.
The
feature
also
offers
users
the
chance
to
compare
a
Contact
Verification
Code
in
person,
on
FaceTime,
or
through
another
secure
call.

How
to
use
it

Deyails
on
this
feature
are
not
yet
available.
It’s
possible
it
will
be
enabled
in
System
Settings>Password
&
Security,
where
a
setting
will
be
added.

Security
Keys
for
Apple
ID

What
it
is

Some
of
the
most
secure
entities
in
business
or
government
use
hardware-based
security
keys
to
protect
critical
services,
data,
or
access
to
information.
As

Computerworld
readers
likely
know,
these
consist
of
actual
hardware,
a
dongle,
that
acts
as
the
key.
It
basically
has
a
unique
identifier
and
contains
a
digital
cryptographic
key
required
to
open
the
account.
When
this
kind
of
protection
is
in
place,
a
user
must
be
in
possession
of
the
key,
physically
connected
to
the
system
they
wish
to
use,
and
must
enter
a
passcode.

That
level
of
protection
is
now
available
to
iCloud
and
means
users
must
have
both
a
hardware
key
and
passcode
to
access
data
protected
by
their
Apple
ID.

Apple
explains
it
as
an
optional
feature
designed
particularly
for
high-value
targets
who
need
additional
protection
against
phishing
or
social
engineering
attacks.

How
it
works

If
you
enable
this
feature,
two
things
happen:
The
first
is
that
each
time
you
access
your
account,
you
will
need
your
security
key
to
complete
the
process;
the
second
is
that
as
you
try
to
set
up
a
new
device,
you’ll
no
longer
receive
a
2FA
code
to
authorize
access;
instead
you’ll
need
to
use
your
key.
This
makes
you
more
secure,
as
it
means
others
cannot
try
to
phish
you
or
use
stolen
devices
to
access
your
account,
and
it
means
you
won’t
have
to
use
sometimes
insecure
SMS
messages.

The
bad
thing?

If
you
lose
your
key,
things
will
get
weird.
(Apple
will
require
you
to
set
up
two
FIDO
Certified
keys
to
use
this
service,
the
idea
being
that
you
keep
one
as
a
spare.
You
may
link
up
to
six
keys
to
your
account).
You
also
need
to
enable
2FA
on
your
account,
and
to
sign
into
devices
like
Apple
Watch
or
HomePod
you
also
need
an
iPhone
or
iPad
that
supports
the
key.

In
other
words,
while
the
protection
is
robust,
you
must
really
want
to
use
it.

There
are
other
limitations,
too
—
you
won’t
be
able
to
use

iCloud
for
Windows,
won’t
be
able
to
sign
into
older
devices
and
the
protection
doesn’t
work
with
Managed
Apple
IDs.
That
last
limitation
may
be
a
deal
breaker
for
any
company
that
relies
on
managed
environments.

You
create
these
keys
in
System
Settings>Password
&
Security>Security
Keys
(Mac),
or
Settings>Password
&
Security>Add
Security
Keys
(iOS/iPad
OS).
A
dialog
appears
to
explain
what
these
keys
do
and
asks
you
to
add
the
keys.
It
requires
you
to
have
two
compatible
keys
to
set
this
protection
up.
If
you
lose
both
keys,
Apple
cannot
help
you
regain
access
to
your
account.
If
you
have
not
used
any
of
your
devices
for
90
days
or
more
you
will
need
to
sign
out
of
these.
You’ll
be
asked
to
connect
each
key
for
setup.

Apple
has
a
tech
note
explaining
more
information
about
how
to
use
these
keys;
it’s available
here.

Please
follow
me
on Mastodon,
or
join
me
in
the AppleHolic’s
bar
&
grill and Apple Discussions groups
on
MeWe.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts