Safari 14, the version of Apple’s browser that will ship with iOS 14 and macOS Big Sur, will let you use Face ID or Touch ID to log in to websites built to support the feature. The functionality was confirmed in the browser’s beta release notes, and Apple has detailed how the feature works in a WWDC video for developers. The functionality is built on the WebAuthn component of the FIDO2 standard, developed by the FIDO Alliance. It should make logging into a website as easy as logging into an app secured with Touch ID or Face ID.
WebAuthn is an API that aims to make web logins simpler and more secure. Unlike passwords, which are often easily guessed and vulnerable to phishing attacks, WebAuthn uses public key cryptography and can use security methods like biometrics or hardware security keys to verify your identity. It’s a standard that individual websites need to add support for, but being supported by the stock browser in iOS has the potential to be a major boost for adoption.
This isn’t the first time Apple has supported parts of the FIDO2 standard. Last year’s iOS 13.3 added support for physical FIDO2-compliant security keys with the Safari web browser, and Google started making use of this with its accounts on iOS earlier this month. These security keys offer more protection for your account since an attacker would need physical access to your key to gain access to your account. Support for security keys also came to Safari on macOS in 2019. However, Safari 14’s functionality should be a lot more seamless, relying on the biometric security that’s built into your Apple device rather than needing a separate piece of hardware in the form of a security key.
The new iOS functionality is similar to what’s previously been added to Android. Google’s mobile OS gained FIDO2 certification last year, and the company later made it possible to log into some of its services in the Chrome browser on Android without needing a password.
Apple’s devices have been able to use Touch ID and Face ID as part of the online login process in the past, but previously, this has relied on using the biometric security to autofill previously stored passwords into websites. Once set up, WebAuthn can be used to bypass the password process, meaning it’s not vulnerable to the same kinds of attacks that can make passwords insecure.
Apple, which joined the FIDO Alliance earlier this year, joins a growing list of companies that are throwing their weight behind the FIDO2 standard. As well as the Google initiatives detailed above, Microsoft announced plans to make Windows 10 password-less last year, and it started allowing users to sign into its accounts in its Edge browser using security keys and its biometric Windows Hello security feature back in 2018.
