Apple asks developers to start testing biometric web logins
Apple updated its mobile operating systems with support for biometric authentication to websites through Face ID and Touch ID in September, and has now laid out the technical steps for developers to make use of WebAuthn API calls and Apple Anonymous Attestation in a blog post.
The feature is expected to reach macOS with the release of version 11, codenamed ‘Big Sur,’ within the next few weeks.
WebKit Security Engineer Jiewen Tan explains how to implement the biometric authentication feature and some different possible use cases in the post. Recommended workflows are provided, with WebAuthn processes mapped against the Safari user interface and WebKit. Tan also gives advice for limiting prompts by setting user gestures to invoke the platform authenticator, and handling the differences between the platform authenticator and security keys.
The optional Apple Anonymous Attestation feature to provide banks and other businesses in regulated industries with “a cryptographic proof of the authenticator’s provenance” so they can comply with regulations while using Touch ID or Face ID biometrics. Tan calls the service “first of its kind,” as a privacy-preserving attestation process that avoids the security problem in basic attestation of all devices with the same attestation certificate having them revoked if one device is compromised.
Apple joined the FIDO Alliance in early-2020 to support the organization’s work towards replacing passwords with biometrics and physical tokens.
FIDO Alliance Executive Director Andrew Shikiar told Biometric Update when Apple announced its support for passwordless web logins on Safari in June that passwordless authentication will be available on the majority of consumer internet services, mostly through FIDO standards, within five years.
Tan urges developers to test the feature “today” to begin providing feedback and big fixes.