Apple announced it introduced three advanced security features focused on protecting against threats to user data in the cloud.
With iMessage Contact Key Verification, users can verify they are communicating only with whom they intend. With Security Keys for Apple ID, users have the choice to require a physical security key to sign in to their Apple ID account. And with Advanced Data Protection for iCloud, which uses end-to-end encryption to provide a high level of cloud data security, users have the choice to further protect important iCloud data, including iCloud Backup, Photos, Notes, and more.
According to Apple, its Advanced Data Protection feature is its highest level of cloud data security, allowing users to protect highly sensitive data with end-to-end encryption so that it can only be decrypted on trusted devices. The company claims that for most users who opt-in, the feature “keeps most iCloud data protected even in the case of a data breach in the cloud.”
Currently, iCloud protects 14 sensitive data categories using end-to-end encryption by default, including passwords in iCloud Keychain and Health data. For users who enable Advanced Data Protection, the total number of data categories protected using end-to-end encryption rises to 23, including iCloud Backup, Notes, and Photos. The only major iCloud data categories that are not covered are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems.
Melissa Bischoping, Director of Endpoint Security Research at Tanium, says that the option to enable these enhanced security features for the added peace-of-mind and improved privacy around backups is a welcome improvement. “These features demonstrate a step forward in meeting industry best practices for modern security and privacy. This keeps iMessage and the associated services in iCloud competitive with other privacy-focused messaging solutions. That said, while everyone should plan to enable the feature, it’s also important to understand that this additional level of protection also means it’s harder - or impossible - for you to recover your own data if you do not follow the instructions.”
According to Bischoping, users can leverage these features and ensure data remains safe. “Even if the company holding the data is breached, you have additional assurance that you will not be a secondary victim. I am hopeful that this trend continues, as these protections are essential for reducing the secondary victimization of a services’ users after a data breach.”
Before enabling these settings, “make sure you understand the recovery capabilities and instructions, and treat your recovery keys like you would any sensitive passphrase or identity document,” says Bischoping. “If you choose to store your recovery keys on a computer, only do so with a trusted password manager. It’s a good idea to also keep a secured printed copy somewhere safe.”
iMessage Contact Key Verification will be available globally in 2023; Security Keys for Apple ID will be available globally in early 2023; and Advanced Data Protection for iCloud is available in the U.S. today for members of the Apple Beta Software Program, and will be available to U.S. users by the end of the year. The feature will start rolling out to the rest of the world in early 2023.