Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple testing USB security key support for Safari

Apple's Safari web browser.

Apple's latest Safari Technology Preview includes support for the WebAuthentication API, which allows users to validate website login credentials via hardware security keys that typically come in the form of a USB stick.

According to release notes covering Apple's Safari Technology Preview version 71, which was released on Wednesday alongside iOS and macOS software updates, the new WebAuthn capability supports USB-based CTAP2 devices.

Developed by the World Wide Web Consortium (W3C) and the FIDO Alliance, WebAuthn is an effort to standardize and enhance the user authentication process across various systems and online gateways. The specification Apple is testing — Client-to-Authenticator Protocol 2 — is a product of the wider FIDO2 standard that enables hardware-backed authentication across the web.

USB-based CTAP2 devices, also known as authenticators or USB security keys, grant a higher level of protection than simple text-based passwords. Instead of relying solely on text-based passwords, which can be stolen or forgotten, the system introduces a physical hardware component into the mix.

Some solutions that rely on the technology require another form of authentication alongside the authenticator. Depending on the system, authentication might involve biometrics, location information, time stamps or password re-entry, among other safeguards. The end result is a strong, multi-factor security protocol that can be deployed across multiple compliant platforms with relative ease.

As noted by CNET, which reported on the Safari Technology Preview earlier today, FIDO2 also supports Bluetooth and near-field communications for hardware authentication, though the current Safari test build is restricted to direct USB connections. The limitation means users will need to insert a security key into their Mac when accessing sites that support CTAP and CTAP2, like Dropbox and Twitter.

WebAuthn in Safari is considered an "experimental feature," though it could show up in a future version of Apple's web browser.