Apple testing USB security key support for Safari

Posted:
in Mac Software
Apple's latest Safari Technology Preview includes support for the WebAuthentication API, which allows users to validate website login credentials via hardware security keys that typically come in the form of a USB stick.

Safari
Apple's Safari web browser.


According to release notes covering Apple's Safari Technology Preview version 71, which was released on Wednesday alongside iOS and macOS software updates, the new WebAuthn capability supports USB-based CTAP2 devices.

Developed by the World Wide Web Consortium (W3C) and the FIDO Alliance, WebAuthn is an effort to standardize and enhance the user authentication process across various systems and online gateways. The specification Apple is testing -- Client-to-Authenticator Protocol 2 -- is a product of the wider FIDO2 standard that enables hardware-backed authentication across the web.

USB-based CTAP2 devices, also known as authenticators or USB security keys, grant a higher level of protection than simple text-based passwords. Instead of relying solely on text-based passwords, which can be stolen or forgotten, the system introduces a physical hardware component into the mix.

Some solutions that rely on the technology require another form of authentication alongside the authenticator. Depending on the system, authentication might involve biometrics, location information, time stamps or password re-entry, among other safeguards. The end result is a strong, multi-factor security protocol that can be deployed across multiple compliant platforms with relative ease.

As noted by CNET, which reported on the Safari Technology Preview earlier today, FIDO2 also supports Bluetooth and near-field communications for hardware authentication, though the current Safari test build is restricted to direct USB connections. The limitation means users will need to insert a security key into their Mac when accessing sites that support CTAP and CTAP2, like Dropbox and Twitter.

WebAuthn in Safari is considered an "experimental feature," though it could show up in a future version of Apple's web browser.

Comments

  • Reply 1 of 9
    If Apple does adopt this it will most likely be hard coded to the Apple T series chips.
    cornchipwatto_cobra
  • Reply 2 of 9
    This is the very long awaited implementation of 'Something You Have' as a method of authentication. Ideally, this is combined with 'Something You Know', such as a password, and 'Something You Are', such as your fingerprint or face. These are the standard three factors of multi-factor authentication. A fourth factor, already available to smartphone users, is 'Somewhere You Are', as in GPS coordinates matching an approved authentication site or verification that the net user is located in their specified home or office.

    https://en.wikipedia.org/wiki/Multi-factor_authentication

    I've had a Yubikey for 10 years, waiting for Internet security to catch up. Meanwhile, Yubikey has added NFC authentication as well as FIDO U2F, FIDO 2, OpenPGP, OATH and FIPS 140-2 compliance. Apparently, it took Google getting into the USB key business this year to kickstart universal interest. *sigh* Better late than...

    https://en.wikipedia.org/wiki/YubiKey
    https://www.yubico.com
    edited December 2018 cornchipemoellerSpamSandwich
  • Reply 3 of 9
    evilutionevilution Posts: 1,399member
    Three and four factor authentication! I look forward to never successfully setting up a new Apple device again.
    I don’t know why I always have a problem but whenever I set up a new device for my girlfriend, I never get the 6 digit code pop up on any of her other devices.
    williamlondon
  • Reply 4 of 9
    Apple Watch could help sign in with the help of Bluetooth,right? Like how Apple Watch can be used for signing in to Macs?
    GeorgeBMacwatto_cobra
  • Reply 5 of 9
    emoeller said:
    If Apple does adopt this it will most likely be hard coded to the Apple T series chips.
    Why? The benefit of USB keys is exactly that you can take them from system to system. It makes no sense to lock them to a T-chip that is bound to a specific system.
    macxpressgatorguyfastasleepwilliamlondonwatto_cobra
  • Reply 7 of 9
    zimmiezimmie Posts: 651member
    This is the very long awaited implementation of 'Something You Have' as a method of authentication. Ideally, this is combined with 'Something You Know', such as a password, and 'Something You Are', such as your fingerprint or face. These are the standard three factors of multi-factor authentication. A fourth factor, already available to smartphone users, is 'Somewhere You Are', as in GPS coordinates matching an approved authentication site or verification that the net user is located in their specified home or office.

    https://en.wikipedia.org/wiki/Multi-factor_authentication

    I've had a Yubikey for 10 years, waiting for Internet security to catch up. Meanwhile, Yubikey has added NFC authentication as well as FIDO U2F, FIDO 2, OpenPGP, OATH and FIPS 140-2 compliance. Apparently, it took Google getting into the USB key business this year to kickstart universal interest. *sigh* Better late than...

    https://en.wikipedia.org/wiki/YubiKey
    https://www.yubico.com
    "Something you are" is not authenticating information, it is identifying information. To think otherwise leads to dangerous mistakes.
    muthuk_vanalingamwatto_cobra
  • Reply 8 of 9
    I’ve been waiting for NFC log on authentication for iOS forever (seems like).

    I don’t trust FaceID or TouchID and have been using a 20+ digit pass phrase instead.  It would be nice for Apple to approve hardware based authentication throughout.

    The complex password is obviously inconvenient...

    I’d trust FaceID + hardware enough to use it.  A wireless hardware key isn’t ideal due to the risk of interception of the key, but it’s “good enough” when part of 2FA.

    I suppose I could use a 4 digit password in addition to the other 2 if I was feeling anal ; )

    It’s good that Apple is getting with the program, even if it’s only with Safari (at this point).
  • Reply 9 of 9
    I’d trust FaceID + hardware enough to use it.  A wireless hardware key isn’t ideal due to the risk of interception of the key, but it’s “good enough” when part of 2FA.
    That's ridiculous. Do you imagine the key is being transmitted to the Mac, whether by NFC or over USB?

    Look up "Diffie Hellman Key Exchange". There is no risk of interception, because the key never gets off the USB (or NFC) device.
    watto_cobra
Sign In or Register to comment.