WebAuthn becomes official hardware login standard for browsers like Apple's Safari

The World Wide Web Consortium and the FIDO Alliance have certified WebAuthn as an official Web standard, allowing users of compatible browsers — Safari among them — to turn to hardware logins instead of passwords.

The technology is already supported in developer's preview versions of Safari, as well as other major browsers including Chrome, Firefox, and Edge. Two operating systems, Android and Windows 10, have the technology built-in.

Sites that use WebAuthn support logins via biometrics, mobile devices, and USB security keys. This not only bypasses the need for passwords but keeps login data local, and thus protected from server hacks or interception. FIDO keys are also unique to each website, meaning they can't be used to follow a person.

Apple first added WebAuthn support to Safari in a December Technology Preview release. At the time the browser's implementation was limited strictly to USB, even though WebAuthn should also support Bluetooth and NFC.

One USB key maker, Yubico, has been working on a Lightning product for iPhones and iPads. It already has MFi certification from Apple, but the project is still in private testing among third-party developers.

10 Comments

dewme 5739 comments · 10 Years

About 5 years ago

Using your iPhone with its built in TouchID or FaceID as the key would be a natural fit.

seanismorris 1624 comments · 8 Years

About 5 years ago

dewme said:

Using your iPhone with its built in TouchID or FaceID as the key would be a natural fit.

Yep. We’re getting to the point that passwords will no longer be used.

When Apple realeased TouchID they were ahead of the game. Currently it’s just used to authenticate Apple logins, but using biometrics to log in directly to websites is exciting. Apple’s Keychain (password managers) was better than the alternative, but this is better still.

Hopefully, this leads to more users using 2FA (or multfactor authentication). So, you could use your biometric scan to log into your banking site, then your pin (saved in Keychain) for extra protection. In that method you’d use biometrics twice. But, you could use any variation.

Here’s one interesting scenario:
You have a new IPhone XS. The phone is set up to use FaceID for yourself and your child (spouse, girlfriend, dog, etc) so both individuals can use the phone.

Previously, I believe both people would have access to all your credentials saved in Keychain (because it’s accessed with FaceID). That’s a big problem...

With WebAuthn that’s not the case. Worst case, they’d have access to your pins saved in Keychain, and wouldn’t have access to (for example) your banking site which requires your biometrics scan at the time of login.

melgross 33607 comments · 20 Years

About 5 years ago

Well, they seem to be talking about an external hardware device, like the old USB keys we used to get with expensive software, years ago. So this is a bit confusing. If we could use Touch ID or Face ID, then why have these things too? And, would they need to be used each time? If so, that’s a major pain. Would we have to carry them with us everywhere we go? What if we lose it, or forget it?

macplusplus 2116 comments · 9 Years

About 5 years ago

dewme said:

Using your iPhone with its built in TouchID or FaceID as the key would be a natural fit.

This is different: the corporation or institution gives you a hardware key to login to their web site or mobile application. This hardware key may also be your digital signature that represents you before the law. Touch ID and Face ID may only act as the access password to those hardware keys as an additional layer of security.

Most of those gadgets have outdated libraries and require Java. Web Authn may be a solution to that.

It is possible to use your iPhone to trigger your digital certificate provided that your carrier maintains that certificate for you and runs a SIM application on your iPhone you’ll use to sign. The carrier must also provide a “mobile signing” infrastructure to involved institutions. Again in this case Face ID and Touch ID act only indirectly as access passwords to that “phone with SIM with mobile signature”.