WebAuthn becomes official hardware login standard for browsers like Apple's Safari

AppleInsiderAppleInsider
Posted:
in General Discussion edited March 2019
The World Wide Web Consortium and the FIDO Alliance have certified WebAuthn as an official Web standard, allowing users of compatible browsers -- Safari among them -- to turn to hardware logins instead of passwords.

NFC YubiKey for iPhone


The technology is already supported in developer's preview versions of Safari, as well as other major browsers including Chrome, Firefox, and Edge. Two operating systems, Android and Windows 10, have the technology built-in.

Sites that use WebAuthn support logins via biometrics, mobile devices, and USB security keys. This not only bypasses the need for passwords but keeps login data local, and thus protected from server hacks or interception. FIDO keys are also unique to each website, meaning they can't be used to follow a person.

Apple first added WebAuthn support to Safari in a December Technology Preview release. At the time the browser's implementation was limited strictly to USB, even though WebAuthn should also support Bluetooth and NFC.

One USB key maker, Yubico, has been working on a Lightning product for iPhones and iPads. It already has MFi certification from Apple, but the project is still in private testing among third-party developers.

Comments

  • Reply 1 of 10
    dewmedewme Posts: 5,362member
    Using your iPhone with its built in TouchID or FaceID as the key would be a natural fit. 
    watto_cobra
  • Reply 2 of 10
    seanismorrisseanismorris Posts: 1,624member
    dewme said:
    Using your iPhone with its built in TouchID or FaceID as the key would be a natural fit. 
    Yep.  We’re getting to the point that passwords will no longer be used.  

    When Apple realeased TouchID they were ahead of the game.  Currently it’s just used to authenticate Apple logins, but using biometrics to log in directly to websites is exciting.  Apple’s Keychain (password managers) was better than the alternative, but this is better still.

    Hopefully, this leads to more users using 2FA (or multfactor authentication).  So, you could use your biometric scan to log into your banking site, then your pin (saved in Keychain) for extra protection.  In that method you’d use biometrics twice.  But, you could use any variation.

    Here’s one interesting scenario: 
    You have a new IPhone XS.  The phone is set up to use FaceID for yourself and your child (spouse, girlfriend, dog, etc) so both individuals can use the phone.

    Previously, I believe both people would have access to all your credentials saved in Keychain (because it’s accessed with FaceID).  That’s a big problem...

    With WebAuthn that’s not the case.  Worst case, they’d have access to your pins saved in Keychain, and wouldn’t have access to (for example) your banking site which requires your biometrics scan at the time of login.
  • Reply 3 of 10
    tundraboytundraboy Posts: 1,885member
    Will this make your internet activity Google and Facebook snoop proof?
  • Reply 4 of 10
    melgrossmelgross Posts: 33,510member
    Well, they seem to be talking about an external hardware device, like the old USB keys we used to get with expensive software, years ago. So this is a bit confusing. If we could use Touch ID or Face ID, then why have these things too? And, would they need to be used each time? If so, that’s a major pain. Would we have to carry them with us everywhere we go? What if we lose it, or forget it?
  • Reply 5 of 10
    macplusplusmacplusplus Posts: 2,112member
    dewme said:
    Using your iPhone with its built in TouchID or FaceID as the key would be a natural fit. 
    This is different: the corporation or institution gives you a hardware key to login to their web site or mobile application. This hardware key may also be your digital signature that represents you before the law. Touch ID and Face ID may only act as the access password to those hardware keys as an additional layer of security.

    Most of those gadgets have outdated libraries and require Java. Web Authn may be a solution to that.

    It is possible to use your iPhone to trigger your digital certificate provided that your carrier maintains that certificate for you and runs a SIM application on your iPhone you’ll use to sign. The carrier must also provide a “mobile signing” infrastructure to involved institutions. Again in this case Face ID and Touch ID act only indirectly as access passwords to that “phone with SIM with mobile signature”.
    edited March 2019
  • Reply 6 of 10
    gatorguygatorguy Posts: 24,213member
    tundraboy said:
    Will this make your internet activity Google and Facebook snoop proof?
    You should spend just a few minutes reading about what WebAuthn is so then you could answer your own questions without someone else explaining it to you. It has zippity to do with anonymous browsing :/
    https://developers.google.com/web/updates/2018/05/webauthn

    and yes other platforms also support it.
    https://www.cnet.com/news/google-looks-to-leave-passwords-behind-for-a-billion-android-devices/
    edited March 2019 fastasleep
  • Reply 7 of 10
    gatorguygatorguy Posts: 24,213member
    melgross said:
    Well, they seem to be talking about an external hardware device, like the old USB keys we used to get with expensive software, years ago. So this is a bit confusing. If we could use Touch ID or Face ID, then why have these things too? And, would they need to be used each time? If so, that’s a major pain. Would we have to carry them with us everywhere we go? What if we lose it, or forget it?

    https://www.yubico.com/2018/08/10-things-youve-been-wondering-about-fido2-webauthn-and-a-passwordless-world/ I normally have mine with me but there's been times when I haven't. There are allowances for that.
  • Reply 8 of 10
    bwh1248bwh1248 Posts: 9member
    Android already appears to have the ability to do this with your fingerprint or other built in biometric reader -- https://fidoalliance.org/android-now-fido2-certified-accelerating-global-migration-beyond-passwords/
  • Reply 9 of 10
    dewmedewme Posts: 5,362member
    macplusplus said:
    dewme said:
    Using your iPhone with its built in TouchID or FaceID as the key would be a natural fit. 
    This is different: the corporation or institution gives you a hardware key to login to their web site or mobile application. This hardware key may also be your digital signature that represents you before the law. Touch ID and Face ID may only act as the access password to those hardware keys as an additional layer of security.

    Most of those gadgets have outdated libraries and require Java. Web Authn may be a solution to that.

    It is possible to use your iPhone to trigger your digital certificate provided that your carrier maintains that certificate for you and runs a SIM application on your iPhone you’ll use to sign. The carrier must also provide a “mobile signing” infrastructure to involved institutions. Again in this case Face ID and Touch ID act only indirectly as access passwords to that “phone with SIM with mobile signature”.
    Thanks for the additional clarification. You are correct in noting that Touch ID and Face ID are by themselves only addressing authentication and not authorization. As you suggested it would be useful if Apple provided a way to store hardware keys in the Secure Enclave and be able to use your Touch ID or Face ID authentication to retrieve the hardware key, much like password vaults work on iOS. The last thing I want is to carry around another dongle. 
    lolliver
  • Reply 10 of 10
    melgrossmelgross Posts: 33,510member
    gatorguy said:
    melgross said:
    Well, they seem to be talking about an external hardware device, like the old USB keys we used to get with expensive software, years ago. So this is a bit confusing. If we could use Touch ID or Face ID, then why have these things too? And, would they need to be used each time? If so, that’s a major pain. Would we have to carry them with us everywhere we go? What if we lose it, or forget it?

    https://www.yubico.com/2018/08/10-things-youve-been-wondering-about-fido2-webauthn-and-a-passwordless-world/ I normally have mine with me but there's been times when I haven't. There are allowances for that.
    These allowances are only partly useful. If you’re going on a trip, and you lose your primary key, unless you take your backup along, you seem to to out of luck, unless you also have passwords for all of your needs too.
Sign In or Register to comment.