Imagine using Face ID on your iPhone alongside a password and Touch ID on your computer in order to access highly secure websites, such as online banks, enterprise intranets and confidential online data services.
That’s a possibility as Apple begins testing a new security standard called WebAuthn.
What is WebAuthn?
WebAuthn (Web Authentication) technology lets websites/online services use hardware keys (typically USB devices) to authenticate your identity when you try to access them.
These keys are usually used alongside passcodes and other security protections (including 2FA) to provide even stronger protection when you access these services.
While not based on the same technology, many online banking consumers may have been offered authentication devices by their banks, but such hardware/software keys are also used elsewhere, in government and the military for example.
WebAuthn also supports a companion standard called FIDO2, which lets hardware keys use Bluetooth and NFC for authentication of WebAuthn sessions. In theory, this means you can use existing security devices, including fingerprint readers, cameras and USB keys as website authentication systems.
It isn’t known if Apple will support FIDO2, but if it did it may potentially be able to create a system in which iPhones (or even an Apple Watch) became a hardware “key” used to access secure services, leveraging its advantages in biometric security and the industry-leading security of its operating systems.
This would tie an individual user’s mobile device up to a PC, Mac or iPad used to access the system, and would replace or at least supplement password protection.
It is important to add that WebAuthn is not yet fully endorsed by the W3C, particularly in light of recent warnings from the Paragon Initiative that some of the algorithms used in the standard may be outdated and vulnerable to attack.
Why it matters
WebAuthn is also supported in Mozilla, Microsoft Edge and Google.
Its existence confirms that security protection will become increasingly dependent on multifactor hardware/software/biometric security models.
A quick scan of the news headlines confirms that the velocity of major attacks is increasing, with huge companies (such as the Marriot hotel chain) impacted.
This means millions of customer details — including names and passwords used across multiple services — that have been stolen through this and many other attacks are almost certainly now trading on the dark web.
The industry must recognise that the security challenges around phishing and data theft extend way beyond financial transactions and personal data security, but also threatens the political process.
A 2017 explanation of some of this
With this in mind, it seems likely we’ll see it come together more tightly to develop robust security technologies for a digitally-connected IoT age.
Apple’s decision to support (or at least, test) the security standard confirms the growing awareness among all stakeholders of the need to challenge the security challenge.
A little more
To enable support you need to download and install the latest Safari Preview, then open Develop>Experimental Features>Web Authentication.
You will also need an external hardware device, such as the Yubikey 5 or $20 Yubi Security Key. It is interesting to note that the company that makes both of those products is also developing authentication devices with USB-C support.