Introduction of technology dubbed ‘a huge leap forward for authentication on the web’
UPDATED Apple has issued guidance to developers on incorporating Face ID and Touch ID into websites, with the biometric authentication feature due for rollout in its forthcoming macOS update.
The technology, which enables users to unlock online accounts using only a fingerprint or facial scan, was rolled out on iOS 14 and iPadOS 14 in September, with macOS 11 (or ‘Big Sur’) following suit at some point over the next few weeks.
Building on his preview of the feature at Apple’s annual developer conference in June, WebKit security engineer Jiewen Tan set out technical steps and use cases to help developers manage various user agent user interfaces, propagate user gestures from user-activated events to WebAuthn API calls, and interpret Apple Anonymous Attestation.
Sixteen years after Bill Gates over-optimistically forecast the gradual demise of alphanumerical passwords, Tan predicted that the development would help to expunge “the original sin of authentication on the web”.
BACKGROUND Apple Safari 14 introduces ‘passwordless’ logins for websites
Used as part of multi-factor authentication (MFA), biometric credentials can help foil credential stuffing attacks, which exploit the widespread reuse of passwords across multiple online accounts.
Tan said that Face ID and Touch ID would remove the friction that has prevented universal adoption of MFA by enabling single-step logons for “more than a billion capable Apple devices”.
The technology is built on the Web Authentication (WebAuthn) API, which enables developers to comply with the Fido Alliance’s FIDO2 specification.
Managing user experiences
Tan recommended presenting the authenticator and security key to users separately, since doing so simultaneously might “confuse users and make it difficult for them to decide what to do”.
“The platform authenticator has different behaviors and use cases from security keys,” he added, with Face ID and Touch ID a comparatively “convenient, alternative mechanism to sign in”, and security key credentials being device and platform-agnostic, unlike platform authenticators.
Read more of the latest biometric security news
The WebAuthn API blocks websites from querying the existence of credentials on a device to protect users from tracking, added Tan.
However, the separate source is often on the backend server, which “works well” for cross-platform security keys but not “for the platform authenticator as credentials can only be used on the device where they were created”.
Tan therefore recommended using a cookie, but not one “set through the document.cookie API since Safari’s Intelligent Tracking Prevention caps the expiry of such cookies to seven days.”
Face ID and Touch ID for the web could help to precipitate universal MFA adoption
Propagating user gestures
Available as a fulfilled authentication request, platform authenticators provide “a high fidelity, persistent unique identifier of the user”.
This makes it “inevitable that [the] WebAuthn credential will be leveraged to serve targeted ads to users”.
However, Apple will tackle the irritation this causes users - something evidenced by two Mozilla surveys - by offering developers the choice to “require user gestures for the WebAuthn API to eliminate annoying ‘on load’ prompts.”
RELATED Researchers discover scores of security bugs in Apple’s stem and core
Jiewen Tan also offered use cases for how websites could invoke Face ID and Touch ID for the web from user-activated events.
Initially, only one – calling the API directly – was supported on iOS 14, iPadOS 14, and macOS Big Sur Beta Seed 1, but user misgivings prompted the WebKit development team to enable the propogation of user gestures through XHR events, Fetch API, and setTimeout too.
Recognizing “that user gestures are not a well understood concept among web developers”, the team also plans to “contribute to the HTML specification and help establish a well established concept of a user gesture for consistency among browser vendors” with a view to potentially “reconsider expanding the user gesture requirement to security keys.”
Passwordless future
The biometric authentication feature also offers Apple Anonymous Attestation, an optional, “first of its kind” cryptographic protocol to help banks and other organizations with stringent compliance requirements validate the authenticator.
“This approach avoids the security pitfall of Basic Attestation that the compromising of a single device results in revoking certificates from all devices with the same attestation certificate,” said Jiewen Tan.
He described the new application of Touch ID and Face ID as “a huge leap forward for authentication on the web, adding: “With the assistance of this technology, we believe multi-factor authentication will replace sole-factor password as the de facto authentication mechanism on the web.”
Andrew Shikiar, executive director at the FIDO Alliance, told The Daily Swig: “This is great news for consumers and businesses, paving the way for frictionless online sign-ups, log-ins and transactions.
The development would be particularly invaluable “in sectors like banking and retail,” he added, where “countless transactions are lost every year due to issues with passwords or mobile OTPs at the point of signing-up or checking-out. This is a business-critical issue as customers abandon the sign-up process and their shopping carts, and ultimately take their business elsewhere.
“Safari 14 support is a major milestone, as every meaningful platform and modern computing device now supports FIDO authentication, and will be a catalyst in speeding up the adoption of strong, secure and convenient authentication.”
Tan has urged developers to start testing the feature as soon as possible and to post their feedback on Twitter and file any bugs they uncover.
Safari 14 also enhances security key support with PIN entry and account selection on all supported macOS.
This article was updated on October 21 with comments from Andrew Shikiar of the FIDO Alliance.
YOU MIGHT ALSO LIKE Portland passes landmark private sector facial recognition technology ban
