How to troubleshoot Contact Key Verification for extra-secure iMessage chats

Macworld

With iOS 17.2, iPadOS 17.2, macOS Sonoma 14.2, and watchOS 9.2, Apple released an option for further ensuring the private communication of iMessages. Called Contact Key Verification (CKV), this extra step performs additional checks on your device to see whether anyone has managed the difficult-but-not-impossible feat of inserting themselves into your secure end-to-end iMessage conversation.

This problem has long been seen as a threat because of how Apple maintains central storage of one component of the pair of encryption keys used to secure these conversations. (Apple stores what’s called the public key in a public/private key pair; your device retains the private part, which never leaves your iPhone, iPad, Mac, or Watch.) If Apple’s central storage were fiddled with in a very nuanced way or an exploit managed to allow an attacker to insert replacement secrets on a target’s device, it’s possible no one would be the wiser. CKV monitors and alerts users to what are extreme but possible interceptions.

Most people don’t need CKV—it’s really intended for people with a high risk of direct attack, typically by a government, or what Apple calls “sophisticated threats.” Others may simply like the notion that they are adding a level of integrity and protection against come what may.

Apple has stuck CKV controls in weird places, the awkwardness of rolling out a feature after major operating systems have already shipped. Find the switch in iOS/iPadOS and macOS in the Account Name section at the top of System Settings (macOS) or Settings (iOS/iPadOS). Scroll to the bottom of the main Apple ID view, below all your associated hardware, to find the Contact Key Verification item. Tap or click in sequence the label, the switch, and a Continue button to proceed.

Your operating system will alert you if all of your connected devices aren’t updated to the required minimum version, as noted above. You have to update or remove all devices in your iCloud set to use CKV.

Once enabled, you can tap Show Public Verification Code > Copy Verification Code (iOS/iPadOS) or click Copy Public Verification Code in macOS. This code is safe to publish or distribute, as it’s tightly associated with your iCloud-connected phone number(s) and email address(es). Someone can use that code to verify your identity in Messages even if you or they are offline—but they have to know an email address or phone number associated with your account to do so.

Once you enable CKV, your public verification code appears.

Foundry

More frequently, you’ll go to Messages. In a conversation with someone, click the i info button in the upper-right of Messages or tap the person’s avatar. If they have CKV on, there will be a Verify Contact button you can click or tap to enable verification. You have to do this at the same time as the other person. I suggest having a live phone call or video during which you confirm an eight-digit number each of you sees on your devices. (Apple blanks the code out in screen captures made in iOS/iPadOS.) Tap or click Mark as Verified, which then prompts you to update a contact card for the individual, which now includes their public verification key.

Once verified, Messages displays a tiny checkmark in the conversation in Messages next to the person’s avatar in iOS/iPadOS or name in macOS. In Contacts, a checkmark and the message “verified” appear to the right of their verified addresses.

A person you’ve verified appears with this “verified” label in their contact card next to associated addresses and phone numbers.

Foundry

If you can’t get the verification numbers to appear at all, something’s wrong. In testing, I found that because Contact Key Verification is tightly tied to your iCloud contact information, you have to make sure you aren’t accidentally communicating with someone using a method that isn’t connected to their iCloud account. In one test, a colleague had an outdated phone number listed for me, but that was the way they previously communicated with me on iMessage. They had to delete that number from their Contacts and start a new conversation using the email address associated with my iCloud account.

If your numbers don’t match—note that they changed every several seconds—tap No Match. It’s unlikely to be snoopers unless you’re a high-profile target. Get in touch with Apple Support if you aren’t. (If you are, check Citizen Lab for resources.)

Apple blanks the verification number in screen captures, but imagine eight digits in the blank space above the buttons.

Foundry

I’ve noticed that Messages sometimes seems out of sync with verification. That is, you can have matching codes, both tap Mark as Verified, and one or both people’s entries don’t update. In some cases, I have had to restart the device or disable and re-enable Contact Key Verification in Settings. This seems like the teething pains of a 1.0 feature.

With CKV enabled, you’ll get inline or other notifications if something changes with the other person’s encryption information, requiring a new verification step. Apple will provide details about what to do—and what to worry about.

Ask Mac 911

We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com, including screen captures as appropriate and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.

Apple Watch, iOS, iPad, MacOS

​Macworld Macworld

With iOS 17.2, iPadOS 17.2, macOS Sonoma 14.2, and watchOS 9.2, Apple released an option for further ensuring the private communication of iMessages. Called Contact Key Verification (CKV), this extra step performs additional checks on your device to see whether anyone has managed the difficult-but-not-impossible feat of inserting themselves into your secure end-to-end iMessage conversation.

This problem has long been seen as a threat because of how Apple maintains central storage of one component of the pair of encryption keys used to secure these conversations. (Apple stores what’s called the public key in a public/private key pair; your device retains the private part, which never leaves your iPhone, iPad, Mac, or Watch.) If Apple’s central storage were fiddled with in a very nuanced way or an exploit managed to allow an attacker to insert replacement secrets on a target’s device, it’s possible no one would be the wiser. CKV monitors and alerts users to what are extreme but possible interceptions.

Most people don’t need CKV—it’s really intended for people with a high risk of direct attack, typically by a government, or what Apple calls “sophisticated threats.” Others may simply like the notion that they are adding a level of integrity and protection against come what may.

Apple has stuck CKV controls in weird places, the awkwardness of rolling out a feature after major operating systems have already shipped. Find the switch in iOS/iPadOS and macOS in the Account Name section at the top of System Settings (macOS) or Settings (iOS/iPadOS). Scroll to the bottom of the main Apple ID view, below all your associated hardware, to find the Contact Key Verification item. Tap or click in sequence the label, the switch, and a Continue button to proceed.

Your operating system will alert you if all of your connected devices aren’t updated to the required minimum version, as noted above. You have to update or remove all devices in your iCloud set to use CKV.

Once enabled, you can tap Show Public Verification Code > Copy Verification Code (iOS/iPadOS) or click Copy Public Verification Code in macOS. This code is safe to publish or distribute, as it’s tightly associated with your iCloud-connected phone number(s) and email address(es). Someone can use that code to verify your identity in Messages even if you or they are offline—but they have to know an email address or phone number associated with your account to do so.

Once you enable CKV, your public verification code appears.Foundry

More frequently, you’ll go to Messages. In a conversation with someone, click the i info button in the upper-right of Messages or tap the person’s avatar. If they have CKV on, there will be a Verify Contact button you can click or tap to enable verification. You have to do this at the same time as the other person. I suggest having a live phone call or video during which you confirm an eight-digit number each of you sees on your devices. (Apple blanks the code out in screen captures made in iOS/iPadOS.) Tap or click Mark as Verified, which then prompts you to update a contact card for the individual, which now includes their public verification key.

Once verified, Messages displays a tiny checkmark in the conversation in Messages next to the person’s avatar in iOS/iPadOS or name in macOS. In Contacts, a checkmark and the message “verified” appear to the right of their verified addresses.

A person you’ve verified appears with this “verified” label in their contact card next to associated addresses and phone numbers.Foundry

If you can’t get the verification numbers to appear at all, something’s wrong. In testing, I found that because Contact Key Verification is tightly tied to your iCloud contact information, you have to make sure you aren’t accidentally communicating with someone using a method that isn’t connected to their iCloud account. In one test, a colleague had an outdated phone number listed for me, but that was the way they previously communicated with me on iMessage. They had to delete that number from their Contacts and start a new conversation using the email address associated with my iCloud account.

If your numbers don’t match—note that they changed every several seconds—tap No Match. It’s unlikely to be snoopers unless you’re a high-profile target. Get in touch with Apple Support if you aren’t. (If you are, check Citizen Lab for resources.)

Apple blanks the verification number in screen captures, but imagine eight digits in the blank space above the buttons.Foundry

I’ve noticed that Messages sometimes seems out of sync with verification. That is, you can have matching codes, both tap Mark as Verified, and one or both people’s entries don’t update. In some cases, I have had to restart the device or disable and re-enable Contact Key Verification in Settings. This seems like the teething pains of a 1.0 feature.

With CKV enabled, you’ll get inline or other notifications if something changes with the other person’s encryption information, requiring a new verification step. Apple will provide details about what to do—and what to worry about.

Ask Mac 911

We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com, including screen captures as appropriate and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.

Apple Watch, iOS, iPad, MacOS 

Leave a Reply

Your email address will not be published. Required fields are marked *