I added a hardware security key to my MacBook, and it made my logins faster and safer

We Keep you Connected

I added a hardware security key to my MacBook, and it made my logins faster and safer

For the past few months, I’ve been alternating my laptop usage between a Surface Pro 9 (running Windows 11) and an M2-powered MacBook Air. There’s always a bit of an adjustment when switching between platforms, but I found one aspect of the MacBook especially frustrating: After a restart, I have to enter the local user account password before I can use the TouchID fingerprint recognition hardware. Can’t MacOS work more like Windows Hello, which lets me sign on anytime using biometrics or a PIN?
Also: The best security keys: Expert tested and reviewed
Well, yes, it can! As long as you have the right hardware, that is.
Specifically, you need a USB security key that supports the Personal Identity Verification (PIV) standard and can act as a smart card for login purposes. As it turns out, anything in the YubiKey 5 series from Yubico meets these standards. Now, I just happen to have a few of these versatile keys hanging around, so I decided to make my MacBook a little easier to use, with their help.
Here’s how I did it.
I started with a YubiKey 5 Nano, which is a remarkably small gizmo that plugs into one of the MacBook’s two USB-C ports and sticks out just a tiny fraction of an inch. That’s it on the far right in this family photo of the YubiKey 5 series.
For any modern MacBook, you can use one of these Series 5 YubiKeys with a USB Type-C connector
I could have used a more traditional key that’s designed to be plugged in and removed at the end of a session, but I was especially attracted to this device’s capability to remain plugged in without my having to carry it separately.
The setup process is fairly straightforward and is documented in this Yubico support article, “Using Your YubiKey as a Smart Card in MacOS.” For these instructions, I assume you’re starting with a new hardware key that’s never been previously configured.
Step 1: Download the YubiKey Manager app and install it on the Mac.
Download the YubiKey Manager app and install it on the Mac.
Click PIN Management to configure the hardware key before using the Setup for MacOS option
Open YubiKey Manager, click Applications > PIV, and click PIN Management. Make the following changes:
Open YubiKey Manager, click Applications > PIV, click Setup for MacOS, and then click Setup for MacOS. (Yes, that’s a second button with the same label as the previous one.)
This process pairs your hardware key with the certificates associated with the PIV application, turning your key into a MacOS-compatible smart card. Confirm that you want to overwrite the existing values, then enter your PIN and click OK.
Remove the hardware key and reinsert it. MacOS will prompt you to associate the hardware key/smart card with your user account. Click that notification to begin the pairing process.
Click the notification in the upper right corner to pair your hardware key with MacOS
Pay close attention to the screens that follow. You’ll need to enter the hardware key’s PIN, followed by the password for your MacOS user account, followed by the password for your iCloud Keychain (which is probably the same as your account password).
And that’s it. The next time you restart your MacBook, you can type your PIN instead of having to enter your password. That unlocks the TouchID fingerprint reader, which you can then use to sign in after you resume from sleep.
Also: I tried two passwordless password managers, and was seriously impressed by one
If the YubiKey isn’t inserted when you restart (or resume from a long sleep session), you’ll be prompted to enter your password. You can plug in the key to change that prompt and use your PIN instead.
In this configuration, you can safely change your password to be longer. (Experts say it should be at least 12 characters in length, but feel free to change it to a passphrase that contains upper- and lower-case letters and at least one number.) You’ll still need to type that passphrase occasionally to make system-level changes, but you won’t need it to sign in to your MacBook.