Soon-to-launch browser for macOS 11 uses Face ID and Touch ID for more secure login experience

A new authentication feature in Safari 14, Apple’s latest web browser, will allow users to sign into websites using biometric scans.

The much-anticipated macOS 11 (Big Sur) was previewed yesterday at the company’s annual Worldwide Developers Conference.

Joining a raft of new features, Apple’s latest desktop operating system will come bundled with what the tech giant is calling the “biggest Safari update ever”.

One of the headline developments for Safari 14 is that the browser will enable websites to be unlocked via users’ Touch ID fingerprint or Face ID scan.

Secure login experience

Developers can employ this feature on their site with the Web Authentication API, Jiewen Tan, senior software engineer at Apple, explained during the online conference.

The feature’s functionality is built on the WebAuthn component of the FIDO2 standard, developed by the FIDO Alliance.

This option has already been shipped with iOS 13.3, which was released last year and included support for FIDO2-compliant physical keys.

Other platforms to already support FIDO-compliant web authentication are Microsoft and Google.

“With this latest development, websites can now provide millions of Apple users with access to a more secure and easier overall login experience with the Face ID and Touch ID technology they already use every day,” Megan Shamas, director of marketing at FIDO Alliance told The Daily Swig.

“It is really a huge step forward in the industry’s movement beyond passwords with cryptographically secure authentication through the FIDO Alliance.”

WebKit engineer Jiewen Tan outlined Apple’s new web authentication feature during WWDC 20

‘A step towards a better user experience’

The use of biometrics as a method of unlocking a password lends an extra layer of security, preventing issues such as hacker-in-the-middle exploits and minimizing the risk of phishing attacks.

It still won’t replace the need for passwords entirely, however, argues digital authentication expert Per Thorsheim.

“It is a step towards better user experience (UX) and better security for most, but it is important to differentiate between the need of entering passwords all the time and actually removing the use of passwords,” Thorsheim, founder of PasswordsCon, told The Daily Swig.

RECOMMENDED Firefox and Chrome yet to fix privacy issue that leaks user searches to ISPs

“You cannot enable Touch ID or Face ID without first setting a PIN/password on your device.

“What they actually do is to implement WebAuthn support in their browser, coupled with the existing biometric security of Touch ID and Face ID.”

Thorsheim added: “I do not see this as a move towards a ‘passwordless’ future. Bill Gates predicted the death to passwords in his RSA 2004 keynote, [but] we have more accounts with passwords than ever before, and those numbers are going to increase – period.”

The changes will be made in Safari 14

Shamas confirmed that there still will be a password in existence – for example, for account recovery – until the website chooses to offer to disable it entirely.

“But it’s important to note how FIDO can also feed into risk engines,” she said.

“For example, say I have enrolled with FIDO on my Mac and someone is trying to log in to my account using a username and password from some other device – this will raise a big red flag with the service provider, and they will ask for additional information before approving that login.

“Ultimately the goal will be to get all accounts and devices enrolled with FIDO so passwords can be disabled.”

Passwordless future

Creating a passwordless future is a long-held dream for some security professionals and organizations, who argue that passwords actually make devices more vulnerable.

A report by the World Economic Forum released in January of this year stated that four out of five global data breaches are due to weak and stolen passwords.

Read more of this week’s top stories

The organization advocated for a passwordless future, arguing that 80% of all cyber-attacks worldwide are password related.

“A passwordless future can happen – it will not happen overnight, but we predict that in the next five years we will start to see more and more websites provide the option to go completely passwordless,” says Shamas.

“The really important thing is that the capabilities to make this happen are now here.”

Out on Safari

Other new features for macOS Big Sur include what Apple calls a “privacy-first Safari experience”.

The latest version of Safari ships with a Privacy Report function, which gives users a better insight into how third-party websites are tracking them.

Users can customise the feature to determine how much access web extensions are given, while their passwords will be tracked by a data breach monitoring tool.

There are major changes to the operating system, too. Mac users will be able to limit how location data is shared with apps – instead of giving a precise answer, it can offer an approximate whereabouts.

Apps will be better labelled to explain how much data is shared with them, and users will be alerted when an app is accessing their camera or microphone.

YOU MIGHT ALSO LIKE Will the coronavirus pandemic impact browser security?