Apple’s iMessage offers a secure identity verification system that enterprise professionals might want to use. Here's everything you need to know about Contact Key Verification.
Many business professionals require highly secure messaging solutions, particularly when they travel. Apple’s iMessage offers a secure identity verification system that enterprise professionals might find useful. It’s called Contact Key Verification.
Apple announced the system in 2022. It went live across the Apple ecosystem in late 2023 with the release of iOS 17.2, iPadOS 17.2, watchOS 9.2, and macOS 14.2.
What is Contact Key Verification?
Contact Key Verification is an iMessage feature that helps users verify each other’s identity. It is “designed to detect sophisticated attacks against iMessage servers and allow users to verify that they’re messaging only with whom they intend,” Apple says.
Who is it for?
Apple says its system is for the same essential group of people it already protects with Lockdown Mode — that is, “users who face extraordinary digital threats, such as journalists, human rights activists, and members of government.”
What problem does Contact Key Verification solve?
While iMessage chats are end-to-end encrypted, that security relies on a third-party “Key Directory Server” to authorize devices. That makes the Key Directory Server a potential target for criminals and surveillance.
The problem comes in the event a powerful entity manages to compromise the security protection of that server; once they have done so, it becomes possible to intercept or monitor messages, or even enter the conversation. (This could be a particular concern for people in politics, human rights activists, journalists, businesspeople and others.)
Contact Key Verification helps secure the transaction.
What does this mean for iMessage?
What this means for a user is that Contact Key Verification lets you add a manual verification step inside an iMessage conversation to confirm the person you are speaking with is who their device claims they are.
- The system requires you and the other party read a short verification code to each other, either in person or during a phone call.
- Once you have both validated the conversation, your devices maintain a chain of trust.
- That chain means no private encryption data is shared, including to Apple.
- The idea here is that the system will spot if anything changes in the encryption keys, and you’ll be given a warning that something may have gone awry.
- The feature also offers users the chance to compare a contact verification code in person, on FaceTime, or through another secure call.
How does Contact Key Verification work?
As we know, iMessage’s end-to-end encryption means only the sender and recipient of a message can read it. This is achieved because each device in a user’s iMessage account has its own set of encryption keys that are never used on anything else. When a person wants to share an iMessage, the system consults the key directory service to authorize the devices so they can communicate; that’s the vulnerability that might be exploited (as shown above).
To resolve this, iMessage Contact Key Verification uses a mechanism called Key Transparency (KT). Apple explains this “uses a verifiable log-backed map data structure, which can provide cryptographic proofs of inclusion and be audited for consistency over time.” That’s the function of the spoken code word exchanged between two trusted parties.
Apple has a tech note describing the cryptographic tools used to enable this security protection available here.
What happens if the system spots an anomaly?
If a device in the chain detects a validation error, the person owning the device that spots the problem will be notified about the error directly in the Messages conversation transcript.
How to turn on Contact Key Verification in iOS
First, make sure your phone is running iOS 17.2 or later. You enable Contact Key Verification within Settings.
- In Settings, tap your name to access your Apple ID settings.
- Scroll down the subsequent page and toggle Contact Key Verification to On.
- A warning notice will appear. This tells you what the feature does and informs you, “In conversations with people who also have contact key verification turned on, you will see a message if contact key verification detects an issue or is turned off.”
- If you have other devices signed into your Apple ID, you’ll have to update them to a compatible software version, disable iMessage on those devices, or remove the devices from your Apple ID.
Once you have set up the system, you will have your own personal verification code accessible from within Settings. This is unique to you and your device and will be required to secure any future iMessage communication with others.
How to verify a contact in iOS
Both you and the person you want to verify must have Contact Key Verification turned on. You’ll want to be in live contact with the other person via phone call, FaceTime, or in person.
- Launch the Messages app and open a conversation with the person you want to verify.
- Tap the person’s name at the top of the screen, scroll down on their information page, and tap Verify Contact.
- The other person should do the same thing on their phone at the same time.
- When you’ve both tapped Verify Contact, you should each see a contact verification code. Compare the two codes. If they match, tap Mark as Verified, then tap Update to save the code to their contact profile. If the codes don’t match, tap No Match and stop texting the person.
Once you’ve verified a contact, you’ll see a checkmark next to their name in Messages.
Does Contact Key Verification work with SMS?
No. Contact Key Verification will not work with SMS messaging — so if you see a green bubble, you cannot assume the communication is secure.
This article was originally published in November 2023 and updated in July 2024.
More on iMessage: