Safari 14 Will Let You Log in To Websites With Your Face or Finger

With Safari on iOS 14, MacOS Big Sur and iPadOS 14, you'll be able to log in to websites using Apple's Face ID and Touch ID biometric authentication. That's a powerful endorsement for technology called FIDO -- Fast Identity Online -- that's paving the way to a future without passwords. From a report: Apple disclosed the biometric authentication support in Safari on Wednesday at WWDC, its annual developers conference. "It's both much faster and more secure," Apple Safari programmer Jiewen Tan said during one of the WWDC video sessions Apple offered after the coronavirus pandemic pushed the conference online. The change is a big boost for browser technology called Web Authentication, aka WebAuthn, developed by the FIDO consortium allies. Apple's not the first supporter -- it's already in Mozilla Firefox, Google Chrome and Microsoft Edge, and works with Windows Hello facial recognition and Android fingerprint authentication.

And how long until that data is compromised?

[gweihir]

Getting a new face or finger could be tricky. At least fingers you have 10, but once your face is compromised (and a single picture can be enough for that), it is burned for this use.

Re:And how long until that data is compromised?

[weilawei]

Something you know, something you have, and something you are.

That's best practice for security. Something you are alone; that's best for keeping track of the proles and pretending it's security.

Re:

[gweihir]

Indeed. Cheaper than possible security.

Re:

[Joce640k]

Biometrics are essentially public information, like a username. Anyone can take a picture of your face, or (with difficulty) get your fingerprint.

Yep. This.

If you combine that problem with the privacy implications of not being able to use different IDs for different web sites then it's a huge step backwards.

I'm sure Apple users will love it though, and go around showing it to all their friends.

Re:

[rho]

While true, I don't need the full NSA SCIF treatment to access a Pokemon forum.

I wish OAuth2/OpenID wasn't such a shitshow. No, I don't want to use Facebook, Google, LinkedIn or any of these other craptastic privacy invading services to login. And I sure as hell don't want to have to implement some other byzantine horror on my sites that requires my users have a degree in cryptography and a crappy USB key to access a web site.

This is like the spam problem all over again. Rather than deal with the problem di

Re:

[Voltage Spike]

The proposal is something you have (your phone) combined with something you are (biometrics). It is not, as many people seem to think, "using your face as your password". Your face is the second factor.

Your biometrics don't leave the phone, they simply unlock the secure enclave containing your credentials. Further, you can't spoof the request: a fake login portal will get different proof-of-identity to the actual site.

The current standard is almost exclusively something you know, alone. And people share tha

Re:

[RandomUsername99]

"a single picture can be enough for that"

Nope.

https://www.wired.com/story/tr... [wired.com]

Re:

[gweihir]

It may just be a bit more difficult. But so far, face recognition has fallen every time.

Re:

[Merk42]

And passwords are vulnerable to a wrench [xkcd.com].

Re:

[schwit1]

And passwords are vulnerable to a wrench [xkcd.com].

Not necessarily. All my PWs are in a password manager on my local laptop and not backed up online. If I'm not in front of that laptop I can't help you no matter what torture device you have.

Re:

[RandomUsername99]

Ok, plot twist: they have a car.

Re:

[Joce640k]

And passwords are vulnerable to a wrench [xkcd.com].

At least you know when you've been wrenched.

Somebody photographing you from a distance or lifting your fingerprints from a glass after you leave a restaurant? Not so much.

Re:

[RandomUsername99]

Will it fall? Of course. Just like *damned near every other security mechanism in history* it will eventually fail, and then those who use it will use something else. Will it work until it fails? Absolutely. Once it inevitably fails, will tricking it be such an onerous process that pretty much nobody is actually going to bother to do it? Likely. If people do bother to, can the functionality be easily disabled in the settings in about 3 seconds? Yes it can.

Re:

[Anubis IV]

It uses anonymous attestation. Your biometric data stays on your device, locked in the same sort of Secure Enclave that's been used on iPhones for years. Moreover, they aren't storing your actual biometrics, just hashes and other mathematical representations of your biometrics, so even if they were stolen from out of the Secure Enclave, the thief wouldn't be able to reproduce your fingerprint. At worst, they'd be able to tell if your fingerprint was a match for the hashes they have.

compromised

[Anonymous Coward]

I cant wait to be physically forced to auth biometrically regardless of laws.

or a picture or a thumbprint on clear tape

[denis-The-menace]

It's Identification

Authentication requires intent.

Re:

[gweihir]

Exactly. "Something you are" is identification, not authentication. Practical authentication also requires that whatever is used as authenticator can be changed.

Not always a good idea

[dhaen]

With my face it'll probably log me into goatse.cx

Which finger?

[Fly Swatter]

I think this should be applied to filling out website ratings too. Thumbs up for good, and well the rest is easy to figure out :)

Damn it wait, everyone forget reading this, I have an idea for a patent - I'm gonna be rich!

Re:

[Joce640k]

Thumbs up for good, and well the rest is easy to figure out :)

Showing your ass to the camera for 'bad'?

Finger?

[jenningsthecat]

Can it be my middle finger, raised in a one-finger salute? 'Cause that's all they'll get from me.

Re:

[gweihir]

Hmm. Fingernail pattern? Would be slowly changing, but if you log-in at least once a week, this may be working.

Re:

[awwshit]

I was gonna say, I give web sites the finger all the time and have yet to have one log me in.

Re:

[Merk42]

Can it be my middle finger.

Yes, you can set up biometrics on any device with a fingerprint reader with any fingerprint.

It is as secure as the current setup

[clojure]

Your biometric information does not go to Apple (or others) for processing. It is stored in a Secure Enclave on the device (e.g. the T2 chip). Unique IDs are created for each web site. Authentication is done in two stages: one on the device, one with a web site using the unique ID,

Re:

[ceoyoyo]

To a user, it's not really that different from the way it works now.

Currently, you let Safari save the username and password (which you can set to the long, random alphanumeric string it suggests for you), then you use your fingerprint or face to unlock the password store and Safari enters it for you.

Re:

[Joce640k]

Your biometric information does not go to Apple (or others) for processing. It is stored in a Secure Enclave on the device (e.g. the T2 chip). Unique IDs are created for each web site.

Processing the unique IDs is just as bad. The point is that I no longer have control over my ID, I can't invent new usernames for each web site to avoid them connecting me together, it's all done by an entity that I can't control or trust.

The finger

[RitchCraft]

I'm already giving the finger to too many web sites as it is. I don't need a browser to do it for me.

Re:

[DontBeAMoran]

On the other hand, for once you'll be the one doing the "in your face" thing to the websites.

I'll give Apple the finger all right

[OneHundredAndTen]

Using biometrics for authentication is one of those things that sounds great initially. It's only when one examines things in detail that it becomes evident what a lousy idea it is.

Re: I'll give Apple the finger all right

[DonkeyG5]

And passwords are any better? Itâ(TM)s easier to steal a password by recording someone typing it in his smartphone than making a copy of the fingerprint of the same person. And now letâ(TM)s talk about how easy is to put a physical keylogger inside a keyboard.

By the way, itâ(TM)s been 7 years since the introduction of TouchId and, since then, all Iâ(TM)ve read about people stealing fingerprints itâ(TM)s been proof of concepts, hackers experiments and zero applications of this in rea

Re:

[thegarbz]

than making a copy of the fingerprint of the same person

A set of side cutters would disagree.

But I guess it comes down to what kind of security you want. Security in life may be better handled with biometrics since its easier to control people manipulating your body, security in death is better handled with passwords since the password dies with you.

Oh So Convenient...

[newbie_fantod]

and you mean that all I have to do is give you my biometrics? Sign me up :-)

Re:

[thegarbz]

Give Apple biometrics? It's 2020 do you *still* not understand how this technology works?

Here's an old joke

[DontBeAMoran]

(assuming Touch ID for the joke)

Website: Please enter your login and password.
Apple user: Talk to the hand.

That's going to be difficult.

[PPH]

Just try pressing keys with your nose and see how easy that is.

Apple slavishly copying again....

[Kitkoan]

Apple's not the first supporter -- it's already in Mozilla Firefox, Google Chrome and Microsoft Edge, and works with Windows Hello facial recognition and Android fingerprint authentication.

Only apple could literally be dead last implementing something like this and then try to spin it as new and exciting because they finally got around to slavishly copying EVERYONE else.....

Really?

[thegarbz]

How does Apple not have this yet. The Samsung browser has done this since at least my Galaxy S4 7 years ago.