Before you turn your phone in to Fort Knox, let us walk you through each option and help you decide if you need these features.
Security keys: Dongles you better not lose
By now you should know how important it is to turn on two-factor authentication for all sensitive accounts (if you do not know how to do that, start here). This extra layer of security is additional to your password and means you get a code — through an app or text message — that you enter to confirm your identity.
A physical security key is the next level up and replaces security codes. These are little dongles that typically look like thumb drives and connect to your device through a port, over near-field communication (known as NFC) or by showing a code you manually enter. If you have this key, that confirms to the other party that you are who you claim to be.
Why it exists: There are certain hacks — technical and through regular trickery like phone calls — that can be used to steal your text-based two-factor authentication codes and break into your accounts. By having you rely on a physical device for that second form of confirmation, security keys cut down on the risk that someone can break into your accounts.
How to turn it on: First, purchase your two security keys. Apple supports FIDO certified keys, and the most well known maker is Yubico, which sells options that can plug into an iPhone’s Lightning port. To pair them with your phone, make sure you are running iOS 16.3 and then go to Settings → Your account (your name on top of the screen) → Password & Security → Add Security Keys, then follow the prompts.
Who it’s for: Security keys are not necessary for most iPhone users. They’re typically used by people who are considered higher risk for targeted attacks, such as people trying to break into their social media or cloud accounts. Apple specifically names celebrities, journalists and government employees as its target audience.
Many non-famous people are at risk of being targeted for these types of attacks, says Cooper Quintin, a senior public interest technologist at the digital rights group the Electronic Frontier Foundation. Examples include people who have access to important information; those include leaders or system administrators at big companies, activists in countries where freedom of speech and media protections are weak, and anyone concerned about a stalker or abusive partner.
Many nonpublic people also find the keys easier to use than tons of texted codes.
But one reason not to switch to physical security keys, says Caroline Wong, the chief strategy officer at the cybersecurity testing company Cobalt, is that the keys are something you need to keep track of, and they can be lost, locking you out of your accounts. (That’s why Apple requires you to have two keys and says to store them in separate places, in case one is lost or stolen.)
“If you’ve got it on you, great. If you don’t, then you’re out of luck. For the average consumer, that’s a bigger problem than using SMS two-factor authentication,” Wong says. “For your average user, it’s completely unnecessary. If you are Joe Biden or Taylor Swift, then, yeah, you should probably do these things.”
Advanced Data Protection: More encryption
This new feature increases the types of data that will be end-to-end encrypted by Apple, meaning that when data is stored on iCloud, it cannot be accessed in a data breach, or by Apple itself when requested by a government or even the user. Advanced Data Protection was launched in the United States last year, but with this iOS update, it will be available to everyone globally. Some types of data already were end-to-end encrypted, like your health data, but this feature adds device backups, messages backups, iCloud Drive, notes and photos. (Your Mail and Contacts app data is not included.)
Why it exists: If there is a cloud breach, the criminals would not be able to access the majority of the data you have stored there. It also prevents Apple from being forced to hand over iCloud data like backups of Messages conversations when requested by governments or law enforcement, since the company has no way to access that information. While security keys protect you from targeted attacks, Advanced Data Protection is more of a defense against big breaches.
How to turn it on: Make sure you are running iOS 16.3 and then go to Settings → Your account (your name on top of the screen) → iCloud → Advanced Data Protection. Make sure you set up Account Recovery here. It lets you add a recovery contact (a family member, for example) and get a 28-character recovery key. These will help you get access to your account if something happens. Then, go back and tap to turn on Advanced Data Protection.
Who it’s for: Everyone can turn this feature on for added peace of mind, but you should be prepared for an increased amount of responsibility. If you lose access to your devices and your recovery options, Apple has no way of accessing your data for you. However, there won’t be any day-to-day differences that you notice as an iPhone user.
“Advanced Data Protection is absolutely worth turning on,” EFF’s Quintin says. “Apple has done a pretty good job of making multiple ways to recover your account so you don’t lose access to your data.”
Lockdown Mode: Not for everyone
Apple recently added an option called Lockdown Mode specifically for it’s most high-risk, high-profile iPhone users. It limits a variety of apps and features to minimize ways that outside attackers could compromise your device, specifically through vulnerabilities Apple itself hasn’t discovered yet. Do not use this unless you have legitimate reasons to be worried about targeted attacks and your devices’ security, as the setting comes with some big trade-offs. For example, it blocks many message attachments, and some websites may not work.
Things everyone should do to stay secure
Turning on Advanced Data Protection or using a security key are great options you should consider based on your level of risk. However, there are some more important security steps everyone should take.
- Update your software: Unknown software vulnerabilities can be exploited by criminals. Update your phone and computer operating systems as soon as new releases are out, and turn on automatic updates for any applications you use.
- Have strong passwords: Use unique, strong, long passwords for all your accounts, including Apple and Google, all social media, and anything related to finances. The best passwords can be impossible to memorize, so consider using a password manager like 1Password or Dashlane.
- Turn on two-factor authentication: Turn it on for everything that will allow it, including your smartphone, your Facebook profile, your bank account and your Google Docs account where you write all your hopes and dreams.