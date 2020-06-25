During the more than 100 sessions and workshops that Apple is presenting this week at WWDC20, details and new features that were not mentioned in the inaugural Keynote are being unveiled. One of these functions is Safari Web Authentication API that will allow logins through Face ID or Touch ID.

Fewer passwords and more security and comfort

Apple already allows Face ID and Touch ID to be used instead of passwords to access sensitive apps such as banking or password managers. Now, thanks to the new API developers will be able to implement this functionality on the web.

As the video of the session explains, a first registration will require entering a username, password and a two-factor authentication code, but, after this, Face ID or Touch ID can take care of the login process. Logging in with this system, similar to what happens with Sign in with Apple, will require that we touch the necessary button when Safari asks us for permission. The authentication is given below and the user can log in.

As Apple comments, the use of Face ID and Touch ID to log in is very positive, since it is simpler, simpler and more secure. A system that it is also resistant to phishing attacks:

But the most important thing is that it is resistant to Phishing. Safari will only allow public credentials created by this API to be used within the website they were created on, and the credential can never be exported outside of the authenticator they were created on as well. This means that once a public credential has been supplied, there is no way for a user to accidentally disclose it to another party. Great, right? This is the overview of the web authentication standard.

This compatibility, which is based on the work that Apple has done with the FIDO standard, allows us, little by little, to go transitioning to a web experience with fewer passwords, where biometric access is sufficient to carry out authentication.

Government or bank pages can greatly benefit from this new compatibility because the possibility of someone connecting to someone else’s account is very, very remote. At the same time, the possibility of login credentials being leaked is virtually impossible, since Face ID or Touch ID store your data in the Secure Enclave of the processor, an area totally isolated from the rest of the system, both by software and by hardware.

Safari Web Authentication API is without a doubt one of those little gems that distinguish Apple’s operating systems. In addition, since it is a job supported by FIDO, adoption can be really high. It is clear that Face ID and Touch ID still have the ability to revolutionize many more authentication systems, we have seen it with CarKey and we will see it from autumn on the web.

