Safari Supports NFC, USB, and Lightning FIDO2-Compliant Security Keys in iOS 13.3

[MacRumors]

The iOS 13.3 update that is currently available to developers and public beta testers has a new Safari feature that supports NFC, USB, and Lightning FIDO2-compliant security keys.

This option was activated in the first beta of iOS 13.3, but in the second developer beta, Apple has added details about it in the release notes.

Now supports NFC, USB, and Lightning FIDO2-compliant security keys in Safari, SFSafariViewController, and ASWebAuthenticationSession using the WebAuthn standard, on devices with the necessary hardware capabilities.

With the iOS 13.3 update, Safari will support physical security keys like the Lightning-equipped YubiKey, which can be used for more secure two-factor authentication.

Yubico announced the YubiKey 5Ci back in August, but at the time of launch, it was of limited usefulness because it did not work with Safari, Chrome, or other major browsers, though it was compatible with apps like 1Password.

With Safari support, the YubiKey 5Ci is a legitimately useful tool that can be more convenient than software-based two-factor authentication because there's no need to enter a security code -- you simply plug it in to an iPhone or Mac (there's also a USB-C connector) to authenticate. Support for FIDO2-compliant USB security keys using WebAuthn was previously added to Safari 13 in macOS.

Other NFC, USB, and Lightning-based security keys will also work with Safari following the iOS 13.3 update. There's no word yet on when iOS 13.3 will be released, but we may see it sometime in December after a few more weeks of beta testing.

Article Link: Safari Supports NFC, USB, and Lightning FIDO2-Compliant Security Keys in iOS 13.3

 

[axcess99]

FIDO is that wonky thing where where the site is what is actually storying your keypair, but with you having locally encrypted it so it can give it to you so you can decrypt it so you can use that to verify the public half of the keypair that the site is also keeping?

Security Now! Transcript of Episode #445

www.grc.com

Should just do something sensible like SQRL, or really any other solution.

 

[farewelwilliams]

"it has awesome security" -steve jobs

 

[foozipper]

Japanese developer confirmed Yubikey 5Ci

次期iOS 13.3のSafariではU2FやFIDO2/WebAuthn準拠のUSB/Lightning/NFCセキュリティキーがサポートされるもよう。

次期iOS 13.3のSafariではU2FやFIDO2/WebAuthn準拠のUSB/Lightning/NFCセキュリティキーがサポートされるようです。詳細は以下から。

applech2.com

 

[aplnub]

This should open the door for Trezor users. A better implementation over Yubi IMHO in case you lose your key.

 

[andywaynebrooks]

This is great news for the 8 people who will ever use this totally obscure feature.

 

[neuropsychguy]

"it has awesome security" -steve jobs

If by "it" you mean the iPhone, yes, it does. If by "it" you mean iOS, yes, it does.

 

[macsimcon]

So...when can we expect this for Safari in Catalina?

 

[luvbug]

So...when can we expect this for Safari in Catalina?

You might want to read more carefully: "With Safari support, the YubiKey 5Ci is a legitimately useful tool that can be more convenient than software-based two-factor authentication because there's no need to enter a security code -- you simply plug it in to an iPhone or Mac (there's also a USB-C connector) to authenticate. Support for FIDO2-compliant USB security keys using WebAuthn was previously added to Safari 13 in macOS."

 

[Hyperchaotic]

This is great news for the 8 people who will ever use this totally obscure feature.

Mhmm, maybe there could be enterprise applications? Like those RSA SecurID fobs I've suffered a lot.

 

[FishyFish]

I’m just loving this announcement. Nice job Apple!!

 

[[AUT] Thomas]

This is some great news that is highly underrated. This gets us a lot closer to getting rid of the stupid password-based approach.
Besides that: A lot of countries have developed NFC capable ID cards that can now be put to work...
And, no, since those cards don't hand out the private key, this will not lead to more identity theft. In fact, it will help fight it.

This is great news for the 8 people who will ever use this totally obscure feature.

Unless you want everyone "sign-in with Apple" (or google) and so on, this is the only secure and easy to use approach to passwordless login...

 

[orthorim]

This is great news for the 8 people who will ever use this totally obscure feature.

Willing to bet you will eat these words by this time next year.

All our security standards are extremely weak and / or have been hacked so we need new ones desperately. 2FA is going to be the savior of doing anything wallet related on your computer.

The reason this is fantastic news is that it will allow mass adoption of way better, way more convenient, way more mass compatible security.

 

[ksnell]

This is great news for the 8 people who will ever use this totally obscure feature.

Count me in good sir! At least 8 of us are taking internet security seriously!

 

[robbysibrahim]

This is great news for the 8 people who will ever use this totally obscure feature.

And notice how devoid of the usual comments ("about time!", "what could go wrong", "how about you fix your software, Tim.", "X dollars? that's insane!", "insert dad joke here") this thread is. People are more likely to complain about what they don't quite fully understand but not about what they know nothing about IMHO.

 

[31 Flavas]

And notice how devoid of the usual comments ("about time!", "what could go wrong", "how about you fix your software, Tim.", "X dollars? that's insane!", "insert dad joke here") this thread is. People are more likely to complain about what they don't quite fully understand but not about what they know nothing about IMHO.

Hard to put a double standard on when you don't know what your supposed to hate about, I guess.

 

[thecombatwombat]

Not exactly. The important thing is that it's a key *pair*.

The site stores the public half of the key, no need to encrypt it at all, that's ltierally why we call it public. Share it with as many people as you like, and security is not compromised. The FIDO device securely stores the *private* part. Securely in this sense meaning when you plug into a device like a phone or a computer, the key doesn't leave the device. This is very good because you don't need to trust the device you're plugging into. Public computers, even your phone itself getting compromised, are way less of a problem than they would otherwise be.

I'm not deeply familiar with SQRL, but basically, it is not an alternative to a device like this, but a potential complement to it. SQRL is more an alternative to passwords and a solution to password managers. Like FIDO, SQRL also uses a keypair, from what I understand that's the main benefit. Because keys are *public* if a website gets hacked, there are no passwords to dump, just public keys. Strong 2FA is still useful, and is not part of the protocol (as far as I'm aware.)

FIDO is that wonky thing where where the site is what is actually storying your keypair, but with you having locally encrypted it so it can give it to you so you can decrypt it so you can use that to verify the public half of the keypair that the site is also keeping?

Security Now! Transcript of Episode #445

www.grc.com

Should just do something sensible like SQRL, or really any other solution.

 

[matrix07]

What happens if I lost the physical key?

 

[raab]

What happens if I lost the physical key?

Buy more than one?

Use the account recovery option for said site protected by lost key?

 

[mozumder]

Wonder if this ties in with Apple Tags thing to locate missing keys, or if the Apple Tags itself has a private key usable as authentication..

 

[kingleolaporte]

FIDO is that wonky thing where where the site is what is actually storying your keypair, but with you having locally encrypted it so it can give it to you so you can decrypt it so you can use that to verify the public half of the keypair that the site is also keeping?

Security Now! Transcript of Episode #445

www.grc.com

Should just do something sensible like SQRL, or really any other solution.

I wish you Steve Gibson sycophants would give it a rest. FIDO2 is a robust authentication system which has already been fully vetted and ratified by the W3C, and also adopted by every major web browser. They aren't going to roll everything back to allow some win32 binary to authenticate a user. Hardware/biometric authentication is the future for passwordless authentication.

 

[bkaus]

So, does it make sense to get a lightning based one? Or the NFC?

 

[Anon Ymous]

FIDO is that wonky thing where where the site is what is actually storying your keypair, but with you having locally encrypted it so it can give it to you so you can decrypt it so you can use that to verify the public half of the keypair that the site is also keeping?

Security Now! Transcript of Episode #445

www.grc.com

Should just do something sensible like SQRL, or really any other solution.

Seriously, Gibson is a hack and a charlatan, no one serious in the industry respects him. There were several sites that debunk what he spewed, but they just stopped being maintained over 15 years ago because there was already too much information. Gibson total made things up (Socketgate?).

U2F which FIDO2 is based off of is well reviewed, and now included in the W3C specification through WebAuthN.

 

[Anon Ymous]

So, does it make sense to get a lightning based one? Or the NFC?

I think the NFC one will last longer on more devices. Lightning port is already being removed on Apple devices. USB C will eventually be replaced too. NFC will stay around longer and will work on your next 4 iphones before it breaks.

 

[bkaus]

I think the NFC one will last longer on more devices. Lightning port is already being removed on Apple devices. USB C will eventually be replaced too. NFC will stay around longer and will work on your next 4 iphones before it breaks.

thanks. I did contact yubico and they said the NFC one doesn’t support all the protocols.

I’ll probably wait out one more found. But all the web extensions are great!