It will soon be possible for enterprise workers, partners and customers to casually access web-based sites and services using biometric ID, with Apple set to enable Face ID and Touch ID authentication in Safari, the company said at WWDC 2020.
Time to toughen up
This move is important because the scourge of online crime is not abating, and traditional passcode-based protection has proved itself insufficient. As we move into a world of quantum computing, breaking password-protection will only get easier, which is why biometric protection adds another layer of access control. We need to toughen up every level of security.
(Location-based protection is also coming into view, as are always-on automated security systems that constantly monitor for anomalous use and sketchy requests.)
Apple, Google, Microsoft and others have seen this coming, which is why they’ve worked together on the FIDO Alliance, a group that develops secure authentication systems such as USB and NFC security keys. The Alliance’s main goal is to reduce a reliance on passwords. At this point, more than two billion devices (from Apple and others) support FIDO technology.
(Apple actively joined the alliance earlier this year, but has been testing its technologies since 2018.)
What WebAuthn does
Apple at WWDC 2020 confirmed that iOS 14 and macOS 11 will introduce support for a FIDO standard called Web Authentication (WebAuthn) in Safari. The standard is a web-based API that allows websites to update their login pages to add FIDO-based authentication on supported browsers and platforms.
Apple has been working to implement it for some time, and the biometric systems on its devices are now seen as supported platforms. This support basically turns these devices into security keys.
[Also read: WWDC: 12+ announcements for the Apple enterprise]
Apple’s implementation makes use of the Face/Touch ID sensors and the Secure Enclave, which is the processor that manages all your private keys and ensures they cannot leave your device.
What this means
Imagine you are using your enterprise’s internal document-sharing portal. SInce it’s protected by two-factor authentication, this is how you would usually sign in:
- Visit site and enter your name and passcode.
- Receive your 2FA code
- Enter this at prompt.
- Access the portal.
That’s not too onerous, but it does slow the process.
Now, with Apple’s move to support biometric authentication in Safari, the process would be as above the first time you logged into your service, or subsequently if you’ve not accessed it for a while. But otherwise it would routinely work as follows:
- Visit site and use Touch ID or Face ID.
- Enter the site.
The reason this works is because you and your device have already verified yourselves in a previous session. The device is recognized, your biometrics act as a key, and in you go. Think of it as a combination of something you have (your device) and something you are (your biometric identity).
What about sites and services that need more security?
What about enterprises with higher security needs, such as financial institutions, military deployments, or health services? In many cases, these systems use multi-factor authentication and will likely want to add another layer of security, even with biometric protection.
To answer that need, Apple is developing an additional optional security feature called attestation – an extra layer of trust based on an additional device check.
The problem with such checks is that they can sometimes violate privacy, so Apple is building something called Apple Anonymous Attestation, which should be included in its systems by the time they launch. This will enable the device to be verified, introducing a second layer of trust while maintaining user privacy.
For the user, access will still consist of a familiar touch or stare, a great example of how enterprise class services can be provided with consumer-focused ease-of-use. Safari also makes it much easier to handle domain-based 2FA codes and will autofill those codes when you receive them.
Safari is more private than ever
WebAuthn support will enable enterprises to offer a range of internal- and external-facing services online, but this isn’t the only security feature we can look forward to in Safari when it ships.
Apple has also added support for PIN entry and account selection. Another useful feature extends Safari’s password management: This always showed you when you re-used passwords on different sites, and now tells you if your password has ever shown up in a data breach. Just tap the yellow button beside duplicate or undermined passwords in Safari’s password manager to find out.
Another welcome move will protect Safari users from the mindless and endless surveillance of online trackers. Apple’s Intelligent Tracking Prevention will identify trackers and prevent them from profiling or following you across the web. Ashley Boyd, Mozilla’s vice president of advocacy and engagement, welcomed this addition, saying: “By providing the option to turn off IDFA at the point of use, Apple is giving millions of consumers more privacy online. Apple is also making a loud statement: mass data collection and invasive advertising don’t have to be the status quo online. Apple is saying that consumer privacy should be a significant factor in the online advertising equation — a refreshing take.
The bottom line?
While Safari isn’t the only browser to support FIDO, Apple is the only browser maker who both designs and builds its own biometric devices. As a result, Safari now combines the advantages of industry standard FIDO biometric security with strong privacy protection, turning your iPhone into a viable trust device for highly secure enterprise needs.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.
