Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple testing USB security key support for Safari

Apple's latest Safari Technology Preview includes support for the WebAuthentication API, which allows users to validate website login credentials via hardware security keys that typically come in the form of a USB stick.

According to release notes covering Apple's Safari Technology Preview version 71, which was released on Wednesday alongside iOS and macOS software updates, the new WebAuthn capability supports USB-based CTAP2 devices.

Developed by the World Wide Web Consortium (W3C) and the FIDO Alliance, WebAuthn is an effort to standardize and enhance the user authentication process across various systems and online gateways. The specification Apple is testing — Client-to-Authenticator Protocol 2 — is a product of the wider FIDO2 standard that enables hardware-backed authentication across the web.

USB-based CTAP2 devices, also known as authenticators or USB security keys, grant a higher level of protection than simple text-based passwords. Instead of relying solely on text-based passwords, which can be stolen or forgotten, the system introduces a physical hardware component into the mix.

Some solutions that rely on the technology require another form of authentication alongside the authenticator. Depending on the system, authentication might involve biometrics, location information, time stamps or password re-entry, among other safeguards. The end result is a strong, multi-factor security protocol that can be deployed across multiple compliant platforms with relative ease.

As noted by CNET, which reported on the Safari Technology Preview earlier today, FIDO2 also supports Bluetooth and near-field communications for hardware authentication, though the current Safari test build is restricted to direct USB connections. The limitation means users will need to insert a security key into their Mac when accessing sites that support CTAP and CTAP2, like Dropbox and Twitter.

WebAuthn in Safari is considered an "experimental feature," though it could show up in a future version of Apple's web browser.



9 Comments

emoeller 17 Years · 588 comments

If Apple does adopt this it will most likely be hard coded to the Apple T series chips.

derekcurrie 16 Years · 64 comments

This is the very long awaited implementation of 'Something You Have' as a method of authentication. Ideally, this is combined with 'Something You Know', such as a password, and 'Something You Are', such as your fingerprint or face. These are the standard three factors of multi-factor authentication. A fourth factor, already available to smartphone users, is 'Somewhere You Are', as in GPS coordinates matching an approved authentication site or verification that the net user is located in their specified home or office.

https://en.wikipedia.org/wiki/Multi-factor_authentication

I've had a Yubikey for 10 years, waiting for Internet security to catch up. Meanwhile, Yubikey has added NFC authentication as well as FIDO U2F, FIDO 2, OpenPGP, OATH and FIPS 140-2 compliance. Apparently, it took Google getting into the USB key business this year to kickstart universal interest. *sigh* Better late than...

https://en.wikipedia.org/wiki/YubiKey
https://www.yubico.com

evilution 13 Years · 1395 comments

Three and four factor authentication! I look forward to never successfully setting up a new Apple device again.
I don’t know why I always have a problem but whenever I set up a new device for my girlfriend, I never get the 6 digit code pop up on any of her other devices.

racerhomie3 7 Years · 1264 comments

Apple Watch could help sign in with the help of Bluetooth,right? Like how Apple Watch can be used for signing in to Macs?

artharg 13 Years · 27 comments

emoeller said:
If Apple does adopt this it will most likely be hard coded to the Apple T series chips.

Why? The benefit of USB keys is exactly that you can take them from system to system. It makes no sense to lock them to a T-chip that is bound to a specific system.