I bet that gets complicated when signing in on a non-Apple device... I have found Sign in with Apple to be difficult enough at times.
The problem is those 3% of times I'm on a non-Apple device and I bet this is a pain, especially logging in with my Apple ID and the subsequent 2-factor code.
Sounds like a great idea, but what happens outside of the Apple ecosystem? For example logging into an account from an employer’s Windows machine or if (heaven forbid) a user leaves Apple’s world?
The underlying standard (Web Authentication) is well supported across all modern browsers and platforms. It is about devices which the user chooses to authenticate with, called authenticators. They have public/private cryptography underneath - they give each site a unique public key, then the authenticator locally authenticates the user (such as with FaceID on iPhone) and "proves" you are the same user to the site. Since it is a unique key pair per site, using the system does not leak that you are the 'same' person on different sites. Since it goes through the browser/platform, it becomes _very_ difficult for someone to phish you - Google reported after they deployed this technology to their employees, they completely eliminated all corporate phishing incidents.
Because you want to keep that private key private (it is literally the key to the kingdom) , nearly all implementations have authenticators (like USB key fobs, or built-in platform support like the currently shipping Safari support) keep that key private and non-exportable.
So typically the idea would be that you have multiple keys registered (one for my android phone, one for my windows laptop, one for my iPad) the same way you might tell a site that password, Sign in with Apple, and Google Authentication are all ways you are willing to sign in. A site would likely also need a recovery mechanism if none of those work.
This announcement isn't that apple is supporting these standards, but that they are going to expand this concept (which has already been shipping since iOS 13) so that the private keys aren't necessarily for a single hardware device - but synchronized between all your devices. That makes it a lot easier, since you don't need to add each device to each website in order to use this simple, strong authentication system.
The standards also allow for a phone to work as an authenticator for another device by acting like a key fob (so via USB, Bluetooth, or NFC). So far, neither Google nor Apple have deployed these - too many computers do not have NFC, not enough people carry a set of appropriate USB cables around with them, and BLE has a nasty trade-off with battery drain vs user experience.
This would be soooo good. eBay might be using this feature; you can sign in with Touch ID rather than a password on their home website.
eBay is already using the underlying standard, so whether they support this really comes down to if (or more likely, when) they can create a good enough user experience.
Siri can already detect who is speaking, so why not throw in this as a third authentication possibility?
Especially as Siri is now moving 'on device' to the Secure Enclave........
You could! But such a system is "lighter" on authentication strength (even compared to things like PIN code), so they would also need to have an ability for sites/apps to opt out of that and mandate a "stronger" authentication form.
You typically see home "voice" authentication on the automation devices, because then it is somewhat multi-factor (you have to physically be in the home first, then do the voice-based biometric). There's also a difference in UX - an iPhone doesn't need voice authentication because they expect you are looking into the screen, and the abyss^HHHH camera is looking back.
Also, the underlying standard being leveraged pushes hard for user consent for authentication - you would likely want something where all you had to do is speak your request, without first prefixing that with saying "my voice is my password" or other consent phrase.
I love the idea of touch/face ID replacing all my passwords. But the fact that I still have to enter a 4/6 digit simple password to get into my Iphone every week or two concerns me. Why aren't these features good enough to remove the simple passcode on our own devices?
Because you actually aren't authenticating into your device with TouchID/FaceID - you are authenticating with the password/pin! The device then caches that in the secure enclave, and uses biometrics to decide when to 'unlock' the device.
The process of turning a passcode into cryptographic keys to unlock your device is long-proven technology, while trying to get a consistent key out of a biometric scan (where the fingerprint/facial read is always slightly different) is a topic of ongoing research.
There are benefits to them not authenticating you with just TouchID/FaceID, such as the ability to put a phone in emergency mode until the PIN is entered. This keeps you being forced to give a glance/fingerprint to unlock your phone while under duress, and changes the legal stance of forcing release of information in some jurisdictions.
Is this any different from a user just setting a longer, more complicated password when making their account? When I'm making an account for a new site, I can have iCloud Keychain generate a complicated password and store it. This sounds like the same thing, but with a "WebAuthn credential" instead of a complicated password.
If it's different, can someone explain how?
Sure, this is using a system called public/private cryptography, where instead of a single user-chosen secret you have a pair of computer-generated values. I can give out the public value to everyone as part of my identity, but I never give out the private value value.
With passwords, I always have to share my secure secret password with the other site, which means they could potentially lose it. Also, most users are unfortunately not using super secret secure passwords, but using their Dog's name and anniversary year on everything from recipe sites to their bank - so in the case of a data breach, their email address and that password gets tried against every other site.
With public/private key paids, a site can ask me to prove I hold the corresponding private key to the public key I shared with them. This means that nobody can imitate me unless I decide to give out my private key - even if the site gets hacked and my public key gets stolen. For Apple's system, they would need to get a device on my iCloud account.
Since this isn't a password however, it won't leave the phone. So sites need some way to add other methods of authentication (such as the WebAuthn support build into android and windows), and/or to recover access if you completely lose access to your apple devices.
Finally, most sites want multiple factors - holding an iPhone or key fob might count as one (physical), but they still want another (knowledge or biometric). You see sites that ask for a username and password and then use a yubikey as a second factor, as well as sites that will let you just log in with your phone and faceID.
For keys like Yubikeys, I might do a PIN entry to the computer to unlock the device - other than the operating system or browser seeing my PIN locally, thats still not a secret shared with the remote server. My key shares that I did additional 'user verification' with the site, which will use that potentially to decide to let me in without any other challenges. Having that PIN not be shared and having it only being usable if someone steals my physical key fob (plus the fob will factory wipe itself given enough bad guesses) means I can use much simpler passwords.
