Apple Releases iOS 16.3, iPadOS 16.3, and macOS 13.2 Ventura with Hardware Security Key Support
Apple’s engineers have been hard at work since the holiday break, since it has been barely a month since the last non-trivial update to the company’s operating systems (see “Apple Releases iOS 16.2, iPadOS 16.2, macOS 13.1 Ventura, watchOS 9.2, and tvOS 16.2,” 13 December 2022). The company has now released iOS 16.3, iPadOS 16.3, macOS 13.2 Ventura, and watchOS 9.3 with one new feature, a new wallpaper and watch face for Black History Month, a collection of bug fixes, and a dose of security updates. Apple said nothing about updates to tvOS or HomePod Software.
The most notable change in iOS 16.3, iPadOS 16.3, and macOS 13.2 is Security Keys for Apple ID, a feature that allows you to strengthen the security of your account by requiring a physical security key to log in. I’ll admit a complete lack of experience with such hardware keys, but the name I hear most frequently is YubiKey, the umbrella name for a variety of hardware keys from Yubico. They’re not particularly expensive, and some even let you authenticate with a fingerprint, just like Touch ID.
Using a security key to protect an Apple ID is overkill for the vast majority of Apple users, but for anyone who’s a high-value target, it could be a welcome addition. Remember, high-value targets aren’t just politicians, high-ranking executives, journalists, and activists—they also include anyone with access to key systems, which could include lower-level IT support staff.
Apart from the addition of Security Keys for Apple ID and support in iOS and iPadOS for the second-generation HomePod (see “Second-Generation HomePod Supports Spatial Audio, Temperature/Humidity Monitoring, and Sound Recognition,” 18 January 2023), these are largely maintenance releases. iOS 16.3, iPadOS 16.3, and macOS 13.2 all fix a bug in the Freeform digital whiteboard app that blocked some drawing strokes created with a finger or an Apple Pencil from appearing on shared boards. Plus, iOS and iPadOS both address an annoying issue that prevented Siri from responding properly to music requests.
You should know about two other iPhone-specific changes. First, to prevent inadvertent emergency calls, Emergency SOS calls now require holding the side button with the up or down volume button and then releasing. It’s not quite clear how this differs from the previous behavior, and I don’t dare test this for fear of actually calling 911. Nevertheless, visit Settings > Emergency SOS, verify your settings, and read the help text. Second, a new Unity wallpaper honors Black history and culture in celebration of Black History Month.
Beyond those changes, iOS 16.3 fixes bugs that:
- Caused the wallpaper to appear black on the Lock Screen
- Temporarily displayed horizontal lines while waking up an iPhone 14 Pro Max
- Blocked the Home Lock Screen widget from accurately displaying Home app status
- Prevented Siri requests in CarPlay from being understood correctly
watchOS 9.3 supposedly gets “new features, improvements and bug fixes,” but the only thing Apple is willing to describe is a new Unity Mosaic watch face to honor Black history and culture in celebration of Black History Month.
Sadly, it doesn’t appear that Apple has changed the requirement to enter a passcode every time an iPhone or iPad tries to back up to a Mac, as we outlined in “iPhones and iPads Now Require a Passcode on Every Backup/Sync” (11 January 2023)
All the operating systems receive security updates as well. As far as Apple is saying, none of the addressed vulnerabilities have been exploited in the wild.
- iOS 16.3 and iPadOS 16.3: 12 security vulnerabilities
- macOS 13.2 Ventura: 22 security vulnerabilities
- watchOS 9.3: 11 security vulnerabilities
Given that the scope of the changes in these updates is quite small and none of the fixed security vulnerabilities are being exploited in the wild, you can take a few days or a week to update—there’s no huge hurry.
Advanced Data Protection came to Blighty at last, so I enabled iCloud Backup to avoid the passcode prompt. Going well, so far, after a bit of flakiness turning ADP on which appeared to slow things down for a while. Curiously, the change reflected on iOS 16.2 devices immediately, even before upgrading—I guess the region check is gated by version, but not the use, so once enabled I could use it right away. Great stuff.
YES !
Please consider a hardware key system.
Is it necessary for most users, no.
But for any application where security is a top priority, yes.
Or
So how do hardware keys work on iPhones & iPads? Do you need to have USB-A to Lightning and USB-C adapters? Or do you have to buy a separate key for each port used?
Based on what I see on their product page, that would seem to be the case for the OnlyKey.
The Mooltipass device is Bluetooth based, so it should just work with whatever phone you’ve paired it with.
I use one of these hardware keys for accessing bank accounts, credit card accounts, etc. It gives me a code that I can use in the 2FA part of the log-in process and works very well. Most institutions now send a code to your mobile phone/cell phone and that code is to be used as part of the log-in process.
This hardware key is particularly useful when I am travelling in countries and not using global roaming because of the high cost and low need for such a service.
But the downside is that it is not universal and I can only use it for accounts I have with the issuing organisation. So I am hoping that this key might be helpful. There’s no indication if it works outside the US.
Regarding security keys, a good post from Ricky Mondelo, who works on passkeys at Apple:
I really don’t think that many/any of us need this.
Well, I wish I would have waited before upgrading to 13.2. Seems it broke my Pioneer drive. From Pioneer’s website:
This is an early report; still working on it.
Quick summary:
I went to pay a (late) tuition bill. Web site wouldn’t let me because it said my Safari version was out of date with latest security patches.
I checked Software Update and, sure enough, found there was a Ventura security update. So I installed it.
Ever since, my 2017 27" Retina iMac has been in a boot loop, punctuated by this lovely (but thankfully international friendly!) screen.
Powering off/on doesn’t help. Waiting overnight didn’t help. Unplugging all peripherals didn’t help. The only odd thing about my setup is that I’m booting from an external (Thunderbolt) drive. (Internal drive is wiped).
Now to start hunting for solutions.
But I just wanted the community to have a heads up. Maybe I should have tried Chrome before updating :-D
Perhaps of help…
https://discussions.apple.com/docs/DOC-250000361
Update:
Based on a tip from here:
https://discussions.apple.com/thread/254314281?answerId=258202882022#258202882022
I disabled “SIP”:
https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection
by booting into Recovery Mode:
Unfortunately, I still get the screen from hell and boot loop. I went back into Recovery Mode and ran “csrutil status” to confirm SIP was disabled, and it was.
So whatever fixed it for that guy didn’t work for me. And, for some vexingly exasperating reason, Apple locks such threads pretty promptly so that they can be useful for as few people as possible.
Not happy. Open to suggestions.
Update:
I booted into Recovery Mode and selected the Reinstall Ventura option. After that completed, the Mac booted.
A couple hiccups… My photo library, loading from (yet another) external SSD, would not open. Rebooting appeared to resolve that. And earlier on, attempting to recover by booting from my bootable clone (made by Carbon Copy Cloner), only brought me to a Recovery screen; it didn’t actually boot. Not sure why, except that I had forgotten that that task was disabled since I wanted to make sure my boot drive, which is a new setup, was stable before resuming that cloning. So it was a bit out of date; not sure why that would make it unbootable, but macOS is weird these days.
Also, my “SIP” is still disabled. So I’m going to let the CCC sync catch up (could take a day) before I try re-enabling SIP. That way, hopefully I have an easier way to get back in.
Strangely enough…it bricked my Studio as well. Did the update on my M1 MBP Just fine then a day later did my Studio…it’s got an OWC Thunderbay Mini RAID on it and a handful of Seagate 2.5” spinning drives. It downloaded and was in the “preparing” mode when we left for dinner and when we got home there was a dialog on the screen saying “there are no users on this drive”. Tried recovery several times and could not get to the reinstall macOS portion…it would let me select the internal drive for startup and identified it as Ventura.2 but would hang 3/4 the way across the progress bar. Disconnnected everything but the BT keyboard, mouse, and ethernet cable and tried several more times…no joy.
Called Apple the next day (well, they called me after I had a Messages discussion with the 1st line support…and second tier called back. I did have the Erase Macintosh option in Recovery but neither of us really wanted to go that route unless we had no other option. Spent another hour or so trouble shooting and trying a variety of things but finally ended up selecting Erase and then it let me back into Recovery mode with reinstall as an option. Reinstalled Monterey with minimum setup from there…upgraded to Ventura.2 successfully, and it’s still doing the restore from Time Machine process…one lesson learned from this is that I’m going to get an SSD for TM instead of one of the slower USB Seagate spinning drives (mine are the Backup+ from Seagate) so that backups and restores will be faster.
I’ll make sure I have a good clone of my wife’s M1 Air before upgrading hers…been doing Macs and macOS since 1985 or so and this is the first OS update that blew up on me over at least 15 machines between my wife and I and probably another 50 that I helped clients update back when I was consulting on the side while working in DC.
Just a quick tip - you don’t have to be in Recovery Mode to check SIP status, just if you want to change it. You will need “sudo”
$ sudo csrutil status
Yes, thank you! I went into Recovery Mode because I was back in the boot loop!
Wow, thanks for sharing! Lots of great points.
Yes, I should have made sure my CCC clone was up to date before upgrading the OS, especially since I’m booting off an external drive. This type of problem has been rare, so I probably got complacent!
I feel like Apple has gotten less and less friendly toward booting from external drives lately. In general, their focus on security, while completely understandable, has become over-the-top annoying: multiple repeated requests for your Apple ID/ICloud password, immediately after entering it elsewhere on the system, etc, etc.
omg, absolutely.
And the external drive clampdown feels real. And inability to repair their filesystems. So many things.
This is good advice for everybody.
Assume the OS update will hose your system so you’ll then be forced to re-install macOS and use MA to get back all your apps, settings, and data. You’ll want to have a very up-to-date backup for that, be it TM or clone (or both). It should be reliable and it should be reasonably fast so the whole exercise doesn’t take forever (spinning rust is bad at that, SSDs are great).
While I do have backups, on site and off site, I actually have a different strategy for this. I install from scratch and everything of importance is in a cloud service or synced with other devices (well, Macs) using syncthing (desktop, downloads, ~/Documents, plus my MoneyDance file, which I actually don’t need, as I have that set to sync with Dropbox). I have steps I follow to reinstall apps and change settings, but once I get the cloud services syncing and syncthing running I get everything back.
The exception is the Mac mini that holds my music library, mostly in Apple lossless, which I would restore from backup if that machine every goes south (or I replace it, which I did last year.)
Do you do this for every point update and security update? That seems like a lot of disruption.
Of course not. For a new machine, or, in the case being discussed here, a bricked machine requiring reinstall of the OS (which hasn’t happened to me, but this is what I would do).
Yep…had to erase and reinstall my Studio after the failed Ventura.2 update…and recovering from a spinning 2.5 Seagate drive took almost 48 hours after the Os install. Obviously I need to get an SSD for TM.
And even beyond bricking the machine…more and more buggy. Once I was done reinstalling Monterey, then Ventura.2, then Migration Assistant to restore from TM…checked and all seems to be good on the Studio itself…but file sharing no longer connects to previously defined shares. Went into Settings and verified the proper folders were shared with the proper names and permissions…I’ve got the same user accounts on all machines so selecting the admin user, the administrators group, and the share connection user all to R/W…and verified permissions on the folders including propagating them downwards through the folder and just can’t connect. I use computer, network, click on the server, select logon as either the admin user or the sharing user, I see all the shares but clicking on one of the shares just gives me the endless beachball in the corner of the Finder window. Similarly…ConnectMeNow4 doesn’t connect them either despite it being (a) correctly configured and (b) works just fine before Ventura.2. QC seems to be down the toilet with this update unless it’s just me.
And then again…maybe it’s just something up with the networking in Ventura.2…doing some more investigation I went into CCC and created a new job with Remote Mac as the destination…once authenticated it lets me step through the folders and subfolders under the share point but it takes a couple minutes to list every folder as I go down the tree even if there are only a half dozen subfolders. That job is running now and appears to be copying successfully…but it appears to be running fairly slowly, only copying about 250 MB per minute which seems slower than it used to be…it’s wifi from the laptop but it’s an M1 MBP. I’ve got an identical job in CCC that attempts to mount the root of the share and then the destination is down in the mounted share…but that one quits without ever mounting the share and mounting it manually isn’t working. All of the shares are set up as SMB on the Studio that’s the server and all the permissions and share settings haven’t changed beyond the upgrade to Ventura.2 and the Studio is on ethernet, not wifi.
Meanwhile…connecting to the 2013 mini still running Monterey works just fine…it’s also on ethernet so the only wifi involved is the MBP and the Orbi mesh router which are working just fine and Speedtest says I’m getting my normal daytime 150 Mbps or so…which converts to about 20 MB/S or 1200 MB/min…so I’m guessing it’s not the wifi…and ethernet is all IPv4 gigabit.
For completeness’ sake, I’ll share that tonight, after updating my CCC (supposedly) bootable backup, I went back into Recovery Mode, re-enabled “SIP” via “csrutil enable”, rebooted, and seem to be fine. So I guess I’m now fully back on track, my life having only had a couple more years shaved off of it due to stress.
I really should find a way to monetize all this work, other than just “keeping everything running”!
I’ve seen keys with support Near-Field Communicationn (NFC) for use with iDevices.
This Yubikey has both a lightning and USB-C end, so you can use it with an iPhone, iPad, and/or MacBook.
This one is USB-C and NFC and supports iPhone with NFC.
Yes, Wirecutter rates the Yubikey Series 5 highly but consider it a splurge.
Looks like Apple has also changed iOS 16.3 to allow adding widgets to classic wallpapers.
That’s great. But too late. Many folks by now will have recreated from scratch. This should have been in there on day 0 IMHO. I’d guess this is just another victim of the forced annual release schedule.
I never deleted my old one, just created new ones. So, it’s not too late for me. (That said - I stopped using widgets on the lock screen at all. It basically duplicates info I have on my watch face anyway.)
I posted in another thread but wanted to close the loop here. Today’s update, macOS Ventura 13.2.1 has resolved the issue and i again can use my Pioneer drive.