Apple has added advanced data protection for iCloud with end-to-end security to their devices. You also have the option to use Hardware security keys.
By using hardware security keys, you no longer have to retype the 6-digit two-factor verification codes that you receive via a text message or special app. But there’s more, you can also choose to use a hardware key with the new advanced security layer in iCloud.
Two-factor Apple ID authentication with security keys
Since iOS 16.3 and macOS Ventura 13.2, users can enhance the security of their Apple ID and iCloud account protection using hardware security keys. This means you have a physical hardware device that you can set up to use as the second layer of two-factor authentication for an account.
A “Hardware security key” is a physical device used to verify two-factor authentication (2FA) when logging into an account or performing secure transactions. It works by generating a unique code that can only be read on the device and must be entered during login or transaction. This helps to increase account security and prevent cybercriminals from accessing an account via stolen passwords. If you use such a key, you no longer have to retype 2FA codes.

Safari has now received support for the new protocol. This allows you to use the key to log in to a website that requires two-factor authentication (2FA). In addition, all Apple verifications can be performed using the security key.
The security keys often take the form of a USB dongle that can be connected to a computer. There are also those that can connect wirelessly to a device via NFC or Bluetooth (BLE).
A security key must be a FIDO Certified security key. There are several suppliers who offer such hardware keys, one of the best known is probably Yubico. This company has several models available with USB-C, NFC connection and a special Lightning key for iPhones.
Add physical security keys to your Apple ID
To take advantage of advanced data protection, you need two compatible FIDO security keys. This ensures that you can always log in to your account, even if you lose one. Keep the keys separately and in a safe place. If you lose the keys, Apple will no longer be able to help you access your account.
- Open the Settings app and tap your profile at the top.
- Go to Password & Security.
- Scroll down to find ‘Add security keys’.

On the next screen, tap “Add Security Keys” and follow the on-screen instructions. On a Mac you can add these via ▸ System Settings ▸ your name ▸ Password & Security ▸ Add Security Keys.
Advanced data protection for iCloud
Users of Apple devices have had very high data security through ‘Data Protection’ for years. This advanced file encryption system is built into iPhone, iPad and Mac as standard. Advanced data protection will be added from iOS 16.3 and macOS Ventura 13.2.
This allows users to protect almost all of their confidential iCloud data with end-to-end encryption (E2EE). End-to-end encryption is a security method that encrypts information before it is sent. Only the recipient can decipher and read the information. This makes the information only readable by the sender and the recipient, and not by third parties. Not even to the service provider that sends or stores the information.

If you choose the new advanced data protection, most iCloud data is also protected in the event of a data breach in the cloud.
By default, iCloud protects fourteen categories of confidential data through end-to-end encryption. This includes iCloud Keychain passwords and Health app data. If you choose advanced data protection, a total of twenty-three categories of data are protected by end-to-end encryption. This includes iCloud backup, notes, and photos.
The only major iCloud data categories it doesn’t cover are Mail, Contacts, and Calendar data in iCloud. This is because of the interaction with global email, contacts and calendar systems.
You can also use a physical security key with the new advanced data protection. This allows you to give new devices access to your data only with the security key. This is then no longer possible via a ‘trusted’ device.