Apple is bridging the gap between its proprietary biometric authentication features and websites for a seamless sign-in experience not relying on passwords.
Those using an iPhone, an iPad, or a MacBook with the Touch Bar onboard should be familiar with the Face ID and Touch ID features. They enable biometric authentication to log into applications so instead of the traditional username and password combo. Apple is planning to extend the use cases of these mechanisms far beyond apps and services. During the 2020 virtual Worldwide Developers Conference (WWDC) that ended on June 26, the company announced a groundbreaking tweak that will bring Face ID and Touch ID to the website ecosystem. This change is expected to take effect with the release of Safari 14 and macOS 11 Big Sur next fall. The all-new sign-in system will work on sites supporting the Fast Identity Online (FIDO) specification. For the record, Apple joined the FIDO Alliance in February 2020 – arguably as part of the upcoming authentication strategy that will soon come true.
The feature in question is built on top of the Web Authentication (WebAuthn) API. It will be deployed via a technology called platform authenticator, which relies on the Secure Enclave to retrieve private keys and handle them in such a way that they can under no circumstances be extracted from the device. As a result, whereas the login is a one-step routine, it is essentially an instance of multi-factor authentication. This is because the device’s response to a website includes something the user has (the device) and something the user is (their biometrics captured with Face ID or Touch ID).
For more privacy-minded users, Apple will provide an extra option called attestation service. For example, it could kick in during attempts to sign in to online banking pages. This concept isn’t new and its earlier implementations may be exploited to encroach on user’s privacy and eavesdrop on users across the web. To address known security issues, Apple engineers have masterminded a proprietary attestation service that laces each credential with a unique certificate. Therefore, a website cannot use these credentials to further track users around the Internet.
The workflow of logging into sites via biometrics on the upcoming version of Safari will resemble the logic of the increasingly common “Sign in with Apple” service that was originally announced at last year’s WWDC event and launched shortly afterward. When you go to a website compatible with the FIDO authentication and log in for the first time, you will be required to type your credentials. The next time you visit the page, you will see a popup dialog offering you to use biometrics (fingerprint or face) to access your account. Yet another advantage is that while some online resources containing highly sensitive information may ask users to re-enter their username and password after a certain amount of time spent on the page, this isn’t going to be the case in an authentication scenario with FIDO biometrics at its core.