If you're using an iPhone or iPad, you can launch your preferred banking app since Touch ID's debut and authenticate using your biometrics instead of a password. Now Apple wants to expand passwordless signups on websites. At the global developer conference, Apple informed developers that Safari 14 will provide Face ID and Touch ID on websites that support Fast Identity Online (FIDO) sign-in on iOS, iPad OS, and macOS.
The feature, which is based on web authentication and implemented by Apple as a platform authenticator, is expected to be available at the end of the year and, according to the Mac manufacturer, will be introduced with iOS 14 and macOS Big Sur.
Apple has released the new FIDO-based login in the Safari 14 Beta release notes. The company said it "added an authentication platform for the web authentication platform using the face or touch ID, depending on what functionality is available." Essentially, Apple combines your Face ID or Touch ID with credentials that are stored in the device's secure enclave.
This results in one-step multi-factor authentication, said Apple WebKit engineer Jiewen Tan.
Elijah Nouvelage / Getty Images
Biometric login to Safari websites works similarly to login to Apple. If you visit a compatible site that supports FIDO authentication, you must first log in by entering your username and password for the first visit. On later visits, you'll be greeted with a pop-up asking if you want to use your fingerprint or face to log in. The feature is based on the FIDO 2 standard since Apple joined the alliance earlier this year.
Unlike saved iCloud keychain passwords on the current version of iOS, which, for example, automatically fill in your username and password stored in iCloud, users with passwordless FIDO logins can log in directly to the website using biometric authentication without a username and password are entered in the appropriate fields on the website. The new system increases account security by not being tied to your username or password. While websites that contain highly secure content may occasionally ask you to log in again with your physical username and password, FIDO's biometric logins are not subject to the same restrictions.
"But more importantly, it's phishing resistant," Apple said to developers during a WWDC 2020 engineering session, according to a MacRumors report. “In Safari, only public credentials created by this API can be used on the website where they were created, and the credentials can never be exported from the authenticator in which they were created. This means that once a public credential is provided, a user is no longer able to accidentally pass it on to another party. Cool, isn't it ?! This is the overview of the web authentication standard. "