Passkeys, Safety Check, and Private Access Tokens demonstrated during week-long virtual conference
The 2022 edition of Apple’s Worldwide Developers Conference (WWDC) kicked off this week, with numerous security and privacy developments placed front and center among the firm’s mobile and desktop platforms.
As has become tradition, this year’s WWDC offered a glimpse into Apple’s product and feature pipeline for the coming months.
On Monday (June 6), attendees were given a first look at the redesigned MacBook Air and the updated 13-inch MacBook Pro powered by the M2 chip, along with new features coming to iOS 16, iPadOS 16, macOS Ventura, and watchOS 9.
What’s new in Safari?
Apple’s Safari browser – which is now thought to have overtaken Chrome as the most popular mobile browser in North America – will soon include several security and privacy enhancements designed to help protect users and open up new opportunities for developers.
“With both of the new Cross Origin Opener Policy and Cross Origin Embedder Policy HTTP response headers, your site can opt in to process isolation, which means your site will run in its own dedicated webContent process,” said Kendall Bagley, software engineer on the Safari team.
DON’T MISS HTTP/3 evolves into RFC 9114 – a security advantage, but not without challenges
“Our second security enhancement also involves HTTP headers, with our improved support for Content Security Policy Level 3. CSP provides enhanced security control over your loading content and mitigates risk of cross-site scripting [XSS] and other vulnerabilities.”
Check out the Safari 16 beta release notes for more information.
Introducing Passkeys
Garrett Davidson of Apple’s authentication experience team took to the virtual stage at WWDC22 to showcase Passkeys, the company’s “next-generation authentication technology”.
“Passwords are really hard to use securely,” Davidson explained. “All of us know we’re supposed to create strong, unique passwords for every account, but not many people actually do.”
He added: “As you’re designing your apps and websites, there’s this constant trade-off between keeping accounts secure and designing a good experience. And even if your apps and websites do everything right, issues like phishing and password reuse can still lead to account compromise.”
Read more of the latest Apple security news
To tackle this, Passkeys – which will come bundled with the upcoming macOS Ventura and iOS 16 – creates a unique, cryptographically strong key pair for user accounts and stores it in iCloud Keychain so it syncs and works across all devices.
Once the pairing has been created, any future visit to the app or website sign-in form will show the ‘Passkey’ option in the QuickType bar. The user simply needs to tap the option, or use Touch ID, and they are signed in.
Davidson said: “With Passkeys, not only is the user experience better than a password, but also entire categories of security problems, like weak and reused credentials, credential leaks, and phishing, are just not possible anymore. And they are so easy to use.”
Visit Apple’s technical documentation page for implementation information.
Safety Check
Also new for Apple devices this year is a new privacy tool called Safety Check, which aims to help users whose personal safety might be at risk from domestic or intimate partner violence.
Designed to allow users to quickly remove all device access that may have granted to others, Safety Check includes an emergency reset that helps users easily sign out of iCloud on all their other devices, reset privacy permissions, and limit messaging to just the device in their hand.
The service also helps users understand and manage which people and apps they’ve given access to.
Replacing CAPTCHAs
That’s not all from WWDC22, as two additional privacy and security tools are due to be showcased later this week.
On Wednesday (June 8), the Apple team will demonstrate Private Access Tokens. This new technology is being marketed as a “powerful alternative” to CAPTCHA challenges that help the identification of HTTP requests from legitimate devices without compromising users’ identity.
“We’ll show you how your app and server can take advantage of this tool to add confidence to your online transactions and preserve privacy,” Apple said.
YOU MIGHT ALSO LIKE Popular websites leaking user email data to web tracking domains
Lastly, June 10 will see Apple showcase the latest ways to ensure that DNS – the foundation of internet addressing – is secure within an application.
“Learn how to authenticate DNS responses in your app with DNSSEC and enable DNS encryption automatically with Discovery of Designated Resolvers (DDR),” Apple said in its presentation teaser this week.
WWDC22 continues through June 10. Check out the complete list of sessions for further information.
READ MORE Google showers top cloud security researchers with kudos and cash