Safari 14, Apple’s browser edition that ships with iOS 14 and macOS Big Sur, will allow you to use the Face ID or Touch ID to log in to websites designed to support the app. The functionality has been verified in the beta-release notes of the browser and Apple has explained how the feature functions for developers in a WWDC video. The functionality is based upon the FIDO2 standard WebAuthn feature developed by the FIDO Alliance. Logging into a website should be as simple as logging into an app secured with a Touch ID or Face ID.
WebAuthn is an API which aims to simplify and make web logins safer. WebAuthn uses public-key cryptography and can use authentication measures such as biometrics or hardware security keys to verify the identity, unlike passwords, which are most easily guessed and vulnerable to phishing attacks. It’s a standard for which individual websites need to add support, but getting stock browser support in iOS has the potential to be a major boost for adoption.
It is not the first time Apple has been promoting elements of the mainstream FIDO2. Last year’s iOS 13.3 introduced support to the Safari web browser for physical FIDO2-compliant security keys, and Google began making use of this earlier this month for its iOS accounts.
These security keys offer your account greater protection as an attacker would need physical access to your key to gain access to your account. Safari also received support for security keys on macOS in 2019. However, the functionality of Safari 14 should be much more seamless, relying on the biometric security built into your Apple device instead of needing a separate piece of hardware in the form of a safety key.
In the past, Apple’s apps were able to use Touch ID and Face ID as part of the online authentication process, but this used to rely on using the biometric protection to autofill previously-stored passwords on websites. Once set up, WebAuthn can be used to bypass the password process, which means it isn’t vulnerable to the same types of attacks that can make passwords unsafe.