If you use an iPhone or an iPad, you’ve been able to launch your favorite banking app and authenticate using your biometrics in lieu of a password since Touch ID’s debut, and now Apple is looking to expand password-less logins to websites. At the Worldwide Developers Conference, Apple informed developers that Safari 14 will bring Face ID and Touch ID to websites that support Fast Identity Online (FIDO) logins on iOS, iPad OS, and macOS.
The feature, based on Web Authentication and implemented by Apple as Platform Authenticator, is expected to arrive by the end of the year and will debut with iOS 14 and macOS Big Sur, the Mac-maker stated.
Apple revealed the new FIDO-based login in the release notes for Safari 14 beta. The company stated that it had “added a Web Authentication platform authenticator using Face ID or Touch ID, depending on which capability is present.” Essentially, Apple combines your Face ID or Touch ID with credentials that are stored on the device’s secure enclave.
This leads to multifactor authentication in just a single step, Apple WebKit engineer Jiewen Tan said.
Biometric login on Safari websites will work in a similar way to how Sign in with Apple works. When you visit a compatible site that supports FIDO authentication, you’ll need to initially log in by entering your username and password for the initial visit. On subsequent visits, you’ll be greeted with a pop-up asking if you want to use your fingerprint or face to log in. The feature is built using the FIDO 2 standard, as Apple had joined the alliance earlier this year.
Unlike saved iCloud keychain passwords under the current version of iOS, for example, that auto-fills your username and password saved on iCloud, password-less FIDO logins will allow users to directly log onto the website using biometric authentication without the username and password being entered into the respective fields on the web page. The new system will make accounts more secure, as it won’t be tied to your username or password. And while websites that present high-security content may ask you to re-sign in with your physical username and password every so often, FIDO’s biometric logins don’t come with the same restrictions.
“But more importantly, it is Phishing-resistant,” Apple told developers during a WWDC 2020 engineering session, according to a MacRumors report. “Safari will only allow public credentials created by this API to be used within the web site they were created, and the credential can never be exported out from the authenticator they were created in as well. This means that once a public credential has been provisioned, there is no way for a user to accidentally divulge it to another party. Cool right?! This is the overview of the Web Authentication standard.”