From the horse’s mouth
Apple is making it feasible to use hardware security keys in iOS as an authentication factor for their Apple ID logon.
This is being desired as a “phish-proof” approach for secondary authentication or sole authentication due to a physical device not being easily coerced or fooled. As well, this “machine-to-machine” approach allows for stronger passkeys.
It is even seen as a preferred secondary authentication factor for online services used by journalists, human-rights defenders, the public service within democracies and others working with high-stakes information. This avoids such users being fooled in to releasing their online accounts to highly-targeted spear-phishing attacks.
Apple supports this on iPhones and iPads through the iOS/iPadOS 16.3 major feature update. This is also being written in to MacOS Ventura 13.2 for the Apple Mac regular computers whereupon you just use the security key as the secondary authentication factor. They primarily implement this as an alternative secondary authentication means to transcribing a six-digit number shown on your iPhone when it comes to two-factor authentication for your Apple ID.
In the context of the Apple Watch, Apple TV and HomePod devices, you use your iPhone that you set up with the security key authentication to provide the secondary authentication factor when you set these up for your Apple ID. Here, this is easier for limited-interface devices because another device is managing some of the authentication work with your Apple ID.
FIDO-compliant hardware security keys are supported with this update but they have to have an MFi Lightning plug or NFC “touch and go” interface to work with the current crop of iPhones in circulation. USB-C is also supported but you would need a USB-C to MFi Lightning adaptor for iOS devices except newer iPads that have this connector. You also may find that newer iPhones that are to come on the market soon will have the USB-C connector due to pressure from the European Union and some other jurisdictions.
There will be a requirement to set up two hardware keys with the same iOS device when you implement this feature. This is so you have a backup key in case the one you lose the one you regularly use or that one is damaged such as being laundered with your clothes.
Add to this that support does exist for app-level or Website-level verification with security keys within iOS. But it may allow Apple to build in and refine the necessary application-programming interfaces for third-party app developers who want to support this form of authentication.
What I see at least is the implementation of hardware security keys in the mobile platform context when it comes to multi-factor or password-free authentication for the user’s primary platform account. Who knows when Google will offer this feature for Android. Could this also be about leading towards the use of hardware security keys as a hardening factor for user account security?