Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

WebAuthn becomes official hardware login standard for browsers like Apple's Safari

Roger Fingas |

Last updated

The World Wide Web Consortium and the FIDO Alliance have certified WebAuthn as an official Web standard, allowing users of compatible browsers — Safari among them — to turn to hardware logins instead of passwords.

The technology is already supported in developer's preview versions of Safari, as well as other major browsers including Chrome, Firefox, and Edge. Two operating systems, Android and Windows 10, have the technology built-in.

Sites that use WebAuthn support logins via biometrics, mobile devices, and USB security keys. This not only bypasses the need for passwords but keeps login data local, and thus protected from server hacks or interception. FIDO keys are also unique to each website, meaning they can't be used to follow a person.

Apple first added WebAuthn support to Safari in a December Technology Preview release. At the time the browser's implementation was limited strictly to USB, even though WebAuthn should also support Bluetooth and NFC.

One USB key maker, Yubico, has been working on a Lightning product for iPhones and iPads. It already has MFi certification from Apple, but the project is still in private testing among third-party developers.

10 Comments

dewme 11 Years · 5793 comments
About

Using your iPhone with its built in TouchID or FaceID as the key would be a natural fit. 

1 Like · 0 Dislikes
seanismorris 9 Years · 1624 comments
About

dewme said:
Using your iPhone with its built in TouchID or FaceID as the key would be a natural fit. 

Yep.  We’re getting to the point that passwords will no longer be used.  

When Apple realeased TouchID they were ahead of the game.  Currently it’s just used to authenticate Apple logins, but using biometrics to log in directly to websites is exciting.  Apple’s Keychain (password managers) was better than the alternative, but this is better still.

Hopefully, this leads to more users using 2FA (or multfactor authentication).  So, you could use your biometric scan to log into your banking site, then your pin (saved in Keychain) for extra protection.  In that method you’d use biometrics twice.  But, you could use any variation.

Here’s one interesting scenario: 
You have a new IPhone XS.  The phone is set up to use FaceID for yourself and your child (spouse, girlfriend, dog, etc) so both individuals can use the phone.

Previously, I believe both people would have access to all your credentials saved in Keychain (because it’s accessed with FaceID).  That’s a big problem...

With WebAuthn that’s not the case.  Worst case, they’d have access to your pins saved in Keychain, and wouldn’t have access to (for example) your banking site which requires your biometrics scan at the time of login.

tundraboy 19 Years · 1914 comments
About

Will this make your internet activity Google and Facebook snoop proof?

melgross 21 Years · 33631 comments
About

Well, they seem to be talking about an external hardware device, like the old USB keys we used to get with expensive software, years ago. So this is a bit confusing. If we could use Touch ID or Face ID, then why have these things too? And, would they need to be used each time? If so, that’s a major pain. Would we have to carry them with us everywhere we go? What if we lose it, or forget it?

macplusplus 10 Years · 2116 comments
About

dewme said:
Using your iPhone with its built in TouchID or FaceID as the key would be a natural fit. 

This is different: the corporation or institution gives you a hardware key to login to their web site or mobile application. This hardware key may also be your digital signature that represents you before the law. Touch ID and Face ID may only act as the access password to those hardware keys as an additional layer of security.

Most of those gadgets have outdated libraries and require Java. Web Authn may be a solution to that.

It is possible to use your iPhone to trigger your digital certificate provided that your carrier maintains that certificate for you and runs a SIM application on your iPhone you’ll use to sign. The carrier must also provide a “mobile signing” infrastructure to involved institutions. Again in this case Face ID and Touch ID act only indirectly as access passwords to that “phone with SIM with mobile signature”.

Read More on our Forums ->
 

Top Stories

article thumbnail

Amazon drops M3 MacBook Air with 16GB RAM, 512GB SSD to $1,099

article thumbnail

Apple again dominates CES without even showing up

article thumbnail

LG UltraFine 6K Monitor first to connect with Thunderbolt 5

article thumbnail

OWC ThunderBlade X12 offers speedy storage for film production

article thumbnail

iPhone 17 rumored to return to curved sides with new material blending

article thumbnail

iPhone SE, M4 MacBook Air & more: What to expect from Apple's loaded first half of 2025

article thumbnail

Grab the iPad 10th Gen for $279 as CES 2025 kicks off