With Safari on iOS 14, MacOS Big Sur and iPadOS 14, you’ll be able to log in to websites using Apple’s Face ID and Touch ID biometric authentication. That’s a powerful endorsement for — Fast Identity Online — that’s paving the way to a future without passwords.
Apple disclosed the biometric authentication support in Safari on Wednesday at WWDC, its annual developers conference. “It’s both much faster and more secure,” Apple Safari programmer Jiewen Tan said during one of the WWDC video sessions Apple offered after the coronavirus pandemic pushed the conference online.
The change is a big boost for browser technology called Web Authentication, aka WebAuthn, developed by the FIDO consortium allies. Apple’s not the first supporter — it’s already in Mozilla Firefox, Google Chrome and Microsoft Edge, and works with Windows Hello facial recognition and Android fingerprint authentication.
But with Apple’s clout in the smartphone market and its focus on making technology easy for everyday folks to use, the company’s support sends a strong signal to both website developers and ordinary folks, telling them in effect, “Come on in, the water’s fine.” That could be a big step toward dumping passwords altogether.
And it’s time to fix passwords. Because we reuse them so much, hackers often can use one single password obtained through a data breach to mount assaults on many other websites, too. Passwords are hard to make up, hard to remember and hard to type, especially on phone screens. Password managers are complex and often suffer compatibility hiccups.
Fixing passwords, then replacing passwords
FIDO technology shores up the numerous weaknesses of password technology and enables authentication with no passwords at all. It standardizes how apps and websites can take advantage of hardware security keys and biometric authentication.
That means bolstering passwords with two-factor authentication systems that are more secure than SMS codes that can be filched. And it enables two-factor authentication with no passwords at all. Your first authentication is possessing a registered device — a phone or PC or security key. Your second is the biometric check — face or fingerprint.
The clever thing about the approach is it reduces two-factor authentication to a single step. That’s a lot faster than retrieving a signin code from a text message, email or authenticator app.
To move to FIDO login, you’ll have to jump through a hoop once to register your device, like a Mac or iPhone.
One big FIDO benefit is that it blocks phishing, since login credentials are locked to the real version of a website. Another benefit is that, for an online service that dumps passwords, there are no passwords for hackers to steal.
Indeed, when Google switched its employees to hardware security keys and FIDO technology to bolster authentication, successful phishing attacks dropped to zero, the company said.
Apple’s Tan doesn’t recommend websites dump passwords, at least yet. Old-school username-password login is a fallback for people who lose their phone or forget their laptop.
But one of the main FIDO ideas is eventually dumping passwords. Getting website developers to use it is a crucial step on that path.