Apple killing off web passwords? Safari trials WebAuthn logins on macOS
Apple’s WebKit team have added ‘experimental support’ for Web Authentication, the standard for enabling website logins by plugging a USB security key into a computer.
Web Authentication, or WebAuthn, is supported at different levels by Mozilla Firefox, Google Chrome, and Microsoft Edge.
In the latest version of Windows 10, version 1809, Windows users can use Edge to sign in to Office 365, Outlook.com, Skype, and OneDrive with a FIDO2 USB security key, such as Yubico’s YubiKey 5 or Security Key.
WebAuthn works with a protocol called Client to Authenticator Protocol (CTAP), which FIDO keys rely on to generate private and public cryptographic key pairs for authenticating to a website. CTAP2 is also called FIDO2.
“Added Web Authentication as an experimental feature with support for USB-based CTAP2 devices,” says the WebKit team in release notes for Safari Technology Preview release 71, which also introduces dark-mode support.
While the preview suggests Safari will at some point support WebAuthn, as CNET notes, experimental support doesn’t guarantee that will happen.
Though several Apple employees are on the WebAuthn working group, it hasn’t been certain whether Apple would join Google, Microsoft, and Mozilla in supporting the standard.
SEE: Apple iOS 12: An insider’s guide (free PDF)
While WebAuthn does enable passwordless logins, it’s also being used to streamline and improve two-factor authentication.
Google, for example, requires users of its Titan Security Keys, or other FIDO2 keys, to add them to its two-step verification process for Google Accounts.
The standard could reduce the dangers of users picking poor passwords and having them compromised in a breach or phishing attack.
An attacker armed with a correct password would also require physical access to the security key. The security key also offers better security than one-time-passcodes since these can be intercepted.
Previous and related coverage
Microsoft takes another big step in its mission for password-less sign-in for Windows 10.
Windows Hello biometric login could soon be the key to all your favorite websites.
Getting rid of passwords is a good idea, but we need to think through the consequences of the most likely replacement, too.
Browser makers take an important step in reducing the need for passwords and all the security threats they bring.
If you trust Google, this is the second-factor security key for you.
Firefox becomes first browser to support the Web Authentication API, taking the world closer to no-password logins.
Microsoft wants to banish ‘inconvenient, insecure, and expensive’ passwords. So what’s going to replace them?
Admins can now significantly reduce the risk of accounts being compromised by password-spraying attacks.
Apple’s browser is catching up to Firefox, Chrome and Edge with better sign-on technology.