Apple launches web authentication using FIDO standard with Touch ID or Face ID biometrics in Safari
Apple has launched support for Touch ID and Face ID biometrics for web logins with Safari through the Web Authentication (WebAuthn) API to allow web developers to build authentication in line with the FIDO2 specification.
The announcement was made at the company’s WWDC 2020, and Apple says it allows developers to provide strong authentication and protection from phishing on the Safari browser. The feature is available for Safari 14 running on iOS or MacOS.
Google also announced an update to its Advanced Protection Program earlier this month to allow Apple device users to log in to Google accounts using FIDO and W3C’s WebAuthn technology.
FIDO Alliance Executive Director Andrew Shikiar told Biometric Update in an interview that the move means that every major platform and modern computing device is now aligned with FIDO authentication. That alignment can not only improve user experiences and their consistency, but also secure people’s accounts and stop the cycle of credential theft, harvesting and stuffing that have created so much liability for businesses online.
Not only that, Shikiar points out that the announcement also positions Apple, as a company with a history of educating consumers about new technology, to spur adoption of FIDO standards.
Apple’s platform authenticator utilizes the secure enclave of the iPhone or iPad to provide the private key, along with fingerprint or facial recognition for user verification. This means any FIDO biometrics-based log-in is by default multi-factor, as the device provides a possession factor on top of the inherence factor.
Apple has also built its own attestation service. Attestation is an optional service which assures relying parties with high security needs, such as banks, of the authenticity of credentials. However, attestation can also be used to violate privacy, as the company explains in a video announcing the feature. Apple generates a unique attestation certificate for each credential so that websites cannot look for the same certificate to track users across the web. Apple Anonymous Attestation is not available yet, but is coming soon, according to the announcement.
The video also explains to developers how to implement the feature, how to onboard users, and best practices, like allowing an alternate way for users to log in, in case they use a device other than their own or change their device.
Shikiar says that in the past, in conversations with vendors and service providers, the FIDO Alliance has been asked how many users could take advantage of the technology right away, and then told the answer is not enough. Between the WebAuthn web standard and the involvement of tech giants like Google, Samsung, and now Apple, deployments can now reach almost any mobile device or browser.
Apple joined the FIDO Alliance earlier this year to bring its ecosystem into line with the local device-based standards for passwordless logical access.
“Within the next five years, the vast majority of major consumer internet services will have passwordless options, and we believe most of those will choose FIDO as a standards-based way of providing that password-free experience,” Shikiar predicts.
Companies now have “both the opportunity and the imperative” to move to stronger, local user authentication, with an enormous addressable user base, according to Shikiar. Having developed its standards and achieved broad buy-in, the FIDO Alliance is now shifting its focus towards facilitating deployment.
“The thing that really makes all of this come together is the FIDO ecosystem of vendors,” Shikiar explains. “You have over 700 FIDO-certified products on the market that support these specifications, and that companies that are looking to employ can leverage as they go to market. So any vendors out there should certainly look at getting FIDO certified if they’re not already to tap into this market opportunity as more and more companies will be seeking to deploy FIDO authentication.”
Uniken is the latest vendor to add a product to that ecosystem, as its REL-ID has been granted FIDO2 Server Certification. Frost & Sullivan also recently recognized the company for the mobile-first REL-ID platform in the consultancy’s analysis of the MEASA identity and access management market. Uniken says the certification allows its customers to provide the unphishable safety and passwordless simplicity of FIDO2 authentication through a range of end client authentication methods with a single solution.