Face ID and Touch ID Logins Coming to Websites With Safari Web Authentication API

MacRumors

macrumors bot
Original poster
Apr 12, 2001
48,667
10,094


Apple allows Touch ID and Face ID to be used in lieu of a password to access sensitive apps like those for banking or password management, and in the future, Face ID and Touch ID will also be able to be used for authentication purposes when logging into a website.


Apple outlines the feature in a WWDC20 engineering session called "Meet Face ID and Touch ID for the web," which covers how web developers can use Face ID and Touch ID on their websites with the Web Authentication API.

An initial login on a website that supports the feature will require a username, passcode, and two-factor authentication code to be entered, but after that, Face ID or Touch ID can handle the login process. Signing in this way will require users to click on the sign in button, after which Safari will ask for confirmation. With the confirmation, a Face ID (or Touch ID) scan is done, and the user is able to log in.

Apple says Face ID and Touch ID authentication is beneficial because it's frictionless, simple, and secure. The online session described it as "phishing resistant."
But more importantly, it is Phishing-resistant. Safari will only allow public credentials created by this API to be used within the Web site they were created, and the credential can never be exported out from the authenticater they were created in as well. This means that once a public credential has been provisioned, there is no way for a user to accidentally divulge it to another party. Cool right?! This is the overview of the Web Authentication standard.
Additional detail about the feature, including instructions on how web developers can enable it, can be found in the full video along with the accompanying resources.

Article Link: Face ID and Touch ID Logins Coming to Websites With Safari Web Authentication API
 
Last edited:

CJ Dorschel

macrumors member
Dec 14, 2019
49
22
Berlin
This is the biggest "feature" improvement I need. I've been using 1Password since day 1 and carefully maintain and update over 1000 website passwords. While the inclusion of 1Password and other third party apps into Apple's iOS system was great, it still adds extra steps of retrieving and copying passwords especially when using Safari in Private mode and/or the site is automatically detected by iCloud Keychain or 1Password. Simply using FaceID will facilitate access while maintaining or even improving security.
 

arn

macrumors god
Staff member
Apr 9, 2001
14,957
2,625
How does this relate to websites which implement the Sign In with Apple functionality introduced at WWDC last year?
so I believe Sign In with Apple creates/connects an account with your Apple ID

This is basically a faster FaceID/TouchId reauthentication for your existing accounts.

The video demos it.

arn
 
Last edited:

homegrownhero

macrumors member
Jul 26, 2017
52
31
you know, since Craig is the one who kept mentioning their crack marketing team every year, makes you wonder if he's actually part if not THE mentioned drug-fueled crack marketing team
 
  • Like
Reactions: Nebulance

munpip214

macrumors regular
Feb 21, 2011
200
418
This is the biggest "feature" improvement I need. I've been using 1Password since day 1 and carefully maintain and update over 1000 website passwords. While the inclusion of 1Password and other third party apps into Apple's iOS system was great, it still adds extra steps of retrieving and copying passwords especially when using Safari in Private mode and/or the site is automatically detected by iCloud Keychain or 1Password. Simply using FaceID will facilitate access while maintaining or even improving security.
It's hard to know how this will work. Currently websites save cookies to keep track of you and your logins. If sounds like if you have logged in to a website it will save the (let me always log in to this website without re-authenticating) cookie and just add faceid as a double-check method. For me I would rather not be continuously logged in to a website. This also wouldn't work for Private mode. I am also often logging in with multiple accounts so this would not help as much.
 
  • Like
Reactions: CJ Dorschel

konqerror

macrumors 68020
Dec 31, 2013
2,177
3,490
It's hard to know how this will work. Currently websites save cookies to keep track of you and your logins. If sounds like if you have logged in to a website it will save the (let me always log in to this website without re-authenticating) cookie and just add faceid as a double-check method. For me I would rather not be continuously logged in to a website. This also wouldn't work for Private mode. I am also often logging in with multiple accounts so this would not help as much.
Microsoft has this fully implemented today. All that has changed is the sign in screen where it asks you for your e-mail now has a link that says "Sign in with Windows Hello or a security key". You click that, authenticate via fingerprint, face recognition, or PIN. It asks you whether you want to save the sign-in, you hit yes/no, and then you're signed in.

In private mode, you're only allowed to use an external security key, but it works otherwise. You can have multiple accounts provisioned as well, it displays a list of possible accounts to use.
 
Last edited:

xxray

macrumors 65816
Jul 27, 2013
1,158
1,545
I noticed this for the first time today using Grammarly. Super convenient.
 

mazz0

macrumors 68000
Mar 23, 2011
1,907
1,140
Leeds, UK
I don’t really see how this is much more convienient that just using FaceID to grant access to the keychain?
 

WoodpeckerBaby

macrumors 6502a
Aug 17, 2016
517
412
What if you have a non Apple device in your family of Apple devices?
You can’t very easily login there. I hope Apple will work with IEEE to set a standard for this so everyone can participate.
 

konqerror

macrumors 68020
Dec 31, 2013
2,177
3,490
What if you have a non Apple device in your family of Apple devices?
You can’t very easily login there. I hope Apple will work with IEEE to set a standard for this so everyone can participate.
This is already a standard, called FIDO2. If you have non-Apple devices, sites allow multiple keys, or simply forget this and use an external USB/NFC/Bluetooth key.

I don’t really see how this is much more convienient that just using FaceID to grant access to the keychain?
One: it is phising-resistant, two: if the data was intercepted or the other side has a database leak, the information is worthless since it cannot be used for future logins.
 

WoodpeckerBaby

macrumors 6502a
Aug 17, 2016
517
412
This is already a standard, called FIDO2. If you have non-Apple devices, sites allow multiple keys, or simply forget this and use an external USB/NFC/Bluetooth key.



One: it is phising-resistant, two: if the data was intercepted or the other side has a database leak, the information is worthless since it cannot be used for future logins.
I know FIDO2, that’s different. It’s basically a hardware token system. It’s not compatible with Sign In with Apple, which is SSO via Apple.
 

konqerror

macrumors 68020
Dec 31, 2013
2,177
3,490
I know FIDO2, that’s different. It’s basically a hardware token system. It’s not compatible with Sign In with Apple, which is SSO via Apple.
Did you read the article? It's saying that Apple platforms will act as a built-in FIDO2 authenticator; something that Windows and Android already do today.

Exactly like Microsoft did, they implemented FIDO2 locked to their own site first, and are now expanding it to other sites.
 

JosephAW

macrumors 68030
May 14, 2012
2,951
3,392
Is it really more secure? What about when a domain is hijacked or dns tables are poisoned from hackers?
 

BuffaloTF

macrumors 6502a
Jun 10, 2008
965
850
I guess I don't understand what's different here? Is this not virtually the same thing that exists today by saving your password to the keychain, then it requires a Face ID to use the keychain afterwards?
 

BaltimoreMediaBlog

macrumors 6502a
Jul 30, 2015
863
1,390
DC / Baltimore / Northeast
I still think TouchID under the screen is going to make a huge comeback since FaceID completely failed during people having to wear masks. If Apple isn't working on this, then Tim Cook is more dumb than I previously thought.
 

LV426

macrumors 6502a
Jan 22, 2013
952
428
So next we need Face ID on macOS hardware
A fingerprint sensor on Magic Keyboard would be a useful option. I just got a Magic Keyboard so I can use my MacBook Pro in clamshell mode. Of course, in clamshell mode you can’t use the fingerprint sensor.
 
  • Like
Reactions: DCIFRTHS
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.