For the past few years, Apple has been slowly working on eradicating the use of passwords as single points of entry across all of its platforms, moving to two-factor authentication for Apple IDs, Touch ID and Face ID for device access, and even leveraging the Apple Watch as a means to bypass the need to enter passwords on macOS.
After all, passwords have generally proven themselves to be a very bad idea. Since they rely on people to remember them, many users choose fairly obvious phrases, leaving themselves open to hackers, or they reuse their password across multiple sites, resulting in a data breach on one site giving hackers the keys to all of their other accounts.
Unfortunately, as much as new technologies have emerged to either supplement or replace passwords, it’s a slow process, since unlike an Apple Watch, iPhone, or USB security key, a password is something that anybody can store in their head and use no matter where they happen to be.
Last year, Apple added support for physical security keys in iOS 13.3, allowing you to use a Lightning, USB, or even NFC key to authenticate to websites securely, and earlier this month even Google embraced the feature, taking advantage of the native support in Safari and iOS 13.3 to let users log into their Gmail or Google accounts by tapping an NFC key on the back of their iPhone as a second factor.
Earlier this year, Apple also officially joined the FIDO alliance, a consortium of companies behind secure authentication systems like physical USB and NFC security keys, and likely in connection with that, Apple will be enabling fully password-less login to websites in the version of Safari that will be shipping with iOS 14 and macOS Big Sur.
Instead, users will be able to authenticate supported websites using either Face ID or Touch ID, without needing to enter a password at all.
While in some ways this may seem similar to the Sign in With Apple feature that the company debuted in iOS 13 last year, it’s actually something completely different, since Apple is leveraging an open standard for this that doesn’t have anything at all to do with your Apple ID.
This new capability is built using the WebAuthn component of the FIDO2 standard — the same component that’s already being used by Apple and Google to support physical USB and NFC security keys — and promises to make logging into a website using Face ID or Touch ID as easy as opening an app.
What This Means for You
Apple outlined the new feature in a WWDC session video for developers, showing how it will work and how it can be implemented, but of course, it’s not going to just start magically working with every website out there — web developers are going to have to implement WebAuthn on their websites in order to support it, but the fact that Apple’s mainstream Safari browser is embracing it should hopefully help to drive adoption more quickly.
While you can already use Touch ID or Face ID with your iOS keychain to autofill passwords into websites, this new method will be considerably more secure, since it eliminates the password entirely. There’s no password for a hacker to try and guess at or “phish” for, and the WebAuthn standard uses strong public-key cryptography to prevent your biometric credentials from being intercepted and reused (known as a “replay attack”).
To be clear, however, this won’t actually involve sending your face or fingerprints from your iPhone or iPad to a remote website. Instead, the system generates a cryptographic key, which is for all intents and purposes like an extremely long and random one-time password. This will presumably be stored in the Secure Enclave, where Face ID or Touch ID will be required to unlock it before it can be generated and transmitted to the remote website.
In the same way that hardware keys function, the credentials created by this process can only be transmitted to and recognized by the website for which they were created, and since they’re generated and stored entirely in the Secure Enclave, they can’t be exported, meaning that it’s completely impossible for them to be divulged to third-parties. It’s the same technology that’s used for Apple Pay and which will also be used to leverage Apple’s new Car Key feature in iOS 14, and in fact even Google began using it earlier this year to allow iPhone owners to use their devices in place of a physical security key for securely logging in to Google accounts.