How to use Apple’s advanced iCloud security tools

Apple recently rolled out new iCloud security features that could help protect mobile professionals when they’re on the road. The features include better iCloud data security, improved iMessage security, and more.

Here is how to use these new iCloud protections.

Secure your digital assets

No one should doubt that protecting personal or enterprise data has become more important than ever. Apple introduced Lockdown Mode for iCloud in 2022, following this up with even more protections in December and, most recently, introducing free privacy and security sessions in Apple retail stores in 2023.

The December collection of iCloud privacy protection tools include:

• Advanced Data Protection for iCloud (available today in some locations).
• iMessage Contact Key Verification (set to debut later this year).
• Security Keys for Apple ID.

What do they do, and how do you use them?

Advanced Data Protection for iCloud

What it is

Apple has always encrypted some of the information you store in iCloud to protect it from prying eyes. With the introduction of iOS 16.3 and macOS 13.2, it locked things down even further, protecting more categories of information and making it possible to decrypt that data only on trusted devices. The caveat emptor is that once you put Advanced Data Protection for iCloud in place, you must also set up an alternate recovery method (device passcode, recovery contact or recovery key) in case you lose access to your account, as Apple cannot help you when you enable protection at this level.

Advanced Data Protection for iCloud encrypts the following additional sets of data that are not otherwise protected: Device backups, Messages backups, iCloud Drive, Photos, Notes, Siri Shortcuts, Safari Bookmarks, Reminders, Voice Memos, and Wallet Passes. These join the 14 categories of data iCloud has always encrypted, including Keychain and Health data.

Mail, Contact, and Calendar remain unprotected, as they need to interoperate with other systems

How to use it

1. You need to opt in to use Advanced Data Protection for iCloud. In part, this is because you must also create a recovery method when you do; Apple is unable to create that for you.
2. As noted, recovery methods include your device password, a recovery contact, or a recovery key. Advanced Data Protection for iCloud will not be initiated until you create that recovery method.
3. You must first update all the devices you have registered to iCloud to the latest iterations of the operating system. In the event you cannot do so you will need to remove them from your account as they will be unable to support encryption.
4. To set this up, open iCloud>Advanced Data Protection and turn it on. You will be asked to create a Recovery Contact or Recovery Key to use if you lose access to your account.
5. The recovery key is a 28-character code that must be kept in a very safe place. You may never need that code, but if you do, you want to ensure you know where it is. You also never want it to fall into the wrong hands.
6. Once you have created your recovery method and enabled Advanced Data Protection for iCloud, all your information will be heavily encrypted and becomes far more secure. If you choose to switch it off then your device will upload the encryption keys to Apple’s servers and return to iCloud’s usual standard protection.

iMessage Contact Key Verification

What it is

iMessages between Apple users have always been end-to-end encrypted, making it very difficult for man-in-the-middle attacks of message surveillance, as without the decryption cipher messages are gibberish until decoded. It isn’t impossible to decode these messages, of course, but it is very complex, expensive, and most people don’t need to worry about being targeted in such a way.

But some do. Think about journalists, human rights activists, high-value business users, ministers, and others whose communications may have significant importance.

iMessage Contact Key Verification is for just these users. It will alert them if it suspects a messaging session is being spied on. The feature also offers users the chance to compare a Contact Verification Code in person, on FaceTime, or through another secure call.

How to use it

Deyails on this feature are not yet available. It’s possible it will be enabled in System Settings>Password & Security, where a setting will be added.

Security Keys for Apple ID

What it is

Some of the most secure entities in business or government use hardware-based security keys to protect critical services, data, or access to information. As Computerworld readers likely know, these consist of actual hardware, a dongle, that acts as the key. It basically has a unique identifier and contains a digital cryptographic key required to open the account. When this kind of protection is in place, a user must be in possession of the key, physically connected to the system they wish to use, and must enter a passcode.

That level of protection is now available to iCloud and means users must have both a hardware key and passcode to access data protected by their Apple ID. Apple explains it as an optional feature designed particularly for high-value targets who need additional protection against phishing or social engineering attacks.

How it works

If you enable this feature, two things happen: The first is that each time you access your account, you will need your security key to complete the process; the second is that as you try to set up a new device, you’ll no longer receive a 2FA code to authorize access; instead you’ll need to use your key. This makes you more secure, as it means others cannot try to phish you or use stolen devices to access your account, and it means you won’t have to use sometimes insecure SMS messages.

The bad thing?

If you lose your key, things will get weird. (Apple will require you to set up two FIDO Certified keys to use this service, the idea being that you keep one as a spare. You may link up to six keys to your account). You also need to enable 2FA on your account, and to sign into devices like Apple Watch or HomePod you also need an iPhone or iPad that supports the key.

In other words, while the protection is robust, you must really want to use it.

There are other limitations, too — you won’t be able to use iCloud for Windows, won’t be able to sign into older devices and the protection doesn’t work with Managed Apple IDs. That last limitation may be a deal breaker for any company that relies on managed environments.

• You create these keys in System Settings>Password & Security>Security Keys (Mac), or Settings>Password & Security>Add Security Keys (iOS/iPad OS).
• A dialog appears to explain what these keys do and asks you to add the keys. It requires you to have two compatible keys to set this protection up. If you lose both keys, Apple cannot help you regain access to your account.
• If you have not used any of your devices for 90 days or more you will need to sign out of these.
• You’ll be asked to connect each key for setup.

Apple has a tech note explaining more information about how to use these keys; it’s available here.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.