Safari with new Security Advantages
Since the Touch ID’s debut, the users of iPhone and iPad have been able to login to their favorite apps using their biometrics instead of a password. Now, it seems that Apple is making steps towards password-less authentication to websites. In its Worldwide Developers Conference, the company announced that Safari 14 will allow for Face ID and Touch ID to websites that support Fast Identity Online (FIDO) logins on iOS, iPad OS, and macOS.
The new functionality is scheduled to launch by the end of the year with the debut of iOS 14 and macOS Big Sur. The latest FIDO-based authentication feature has been revealed in the Safari 14 beta release notes. The company said it had “added a Web Authentication platform authenticator using either Face ID or Touch ID, depending on which capability is present.” Basically, with this feature, Apple combines your Face ID or Touch ID with credentials that are stored in the secure enclave of the device. Jiewen Tan, Apple WebKit engineer, explained that this new feature contributes to multifactor authentication in just a single step.
Biometric authentication on Safari websites should function similarly to the way Sign in with Apple works. When you first visit a website that supports FIDO authentication, you will need to log in by entering your username and password. On subsequent visits, however, a pop-up will show up on your screen, asking if you wish to use your fingerprint or face to log in. The new Safari feature is developed using the FIDO 2 standard, which Apple has joined earlier this year.
The new passwordless FIDO logins would enable users to log in to the website using biometric verification without entering the username and password in the corresponding fields on the web page. This is a major security advantage unlike using the stored iCloud keychain passwords in the current iOS update, which auto-fills the username and password saved on iCloud.
This new authentication method is believed to protect accounts better, because it would not be connected to the username or password. What is more, FIDO ‘s biometric logins don’t require you to re-sign in every so often with your username and password as it is on websites with high-security content.
What is most important is that the FIDO authentication is phishing-resistant. At least, this is what Apple told developers during a session in the WWDC 2020.
The company claims that Safari can permit the usage of public credentials created by this API only on the website they were created, and the credentials can never be transferred out from the authenticator they were created in. That means there’s no way for a user to accidentally disclose its login details to a third party once a public credential has been provisioned. Sounds promising? Tell us what do you think about the new web authentication feature of Safari in the comments below.