Safari users soon will be able to securely log into websites using Face ID and Touch ID. The new feature, which Apple is rolling out in iOS 14, iPadOS 14 and macOS Big Sur, should take away one of the most irritating things about using the web — remembering, and then typing in, user names and complicated passwords.
On websites that support the feature, users can opt in to use Apple’s biometric ID systems, making that irritating login dance a thing of the past.
As with most features Apple puts in place, the upcoming ability to log in to websites with Face ID or Touch ID mixes ease of use with a commitment to user privacy.
“Face ID and Touch ID on the web is powered by a standard called Web Authentication,” said Apple WebKit engineer Jiewen Tan in a WWDC 2020 video posted Wednesday to the company’s developer website. Web Authentication offers many benefits, according to Apple, including phishing-resistant security that’s stronger than passwords alone.
Benefits of logging into websites with Face ID or Touch ID
Once a website developer implements Apple’s new Web Authentication API, an iPhone, iPad or Mac can act as an authenticator the way a physical security key would. Using Apple’s “platform authenticator” (your secure Mac or iOS device) brings three unique benefits, Tan said:
- Face ID and Touch ID, which verifies the user’s identity
- Secure Enclave – the built-in processor that safeguards all keys on the device.
- Multifactor authentication in a single step — simplified security
“By combining both, each sign-in performed with the Face ID or Touch ID is essentially a multifactor authentication,” Tan said. “The response the device sends back to the website encapsulates two factors: something you have — the iPhone — and something you are — the biometrics. And that the sign-in only takes a single tap — this is amazing.”
Cupertino also plans to roll out a new feature called Apple Anonymous Attestation that will issue distinct certificates for each website a visitor logs into. It’s just one more step Apple is taking to limit websites’ tracking of users.
A secure, frictionless user experience
Here’s how it will work. First, the website might ask users to sign in the traditional way “with their old-school password credential,” Tan said. Then, he said, the site can serve a banner, a popup or a full-screen message that says something like, “Hey, we’ve got this cool new feature to let you use Face ID or Touch ID to bypass the user name and the password next time when you sign in. Would you like to enable that?”
Obviously, you’ll say yes. And boom! Your website login problems vanish.
In the highly technical video, Tan said using Face ID and Touch ID to log into websites will provide a “frictionless user experience and yet a strong multifactor authentication mechanism.” And he promised developers the new feature can be easily integrated into websites.
Let’s hope so. The demo implementation Tan showed off during his developer-focused video looks snappy and convenient. Who doesn’t want streamlined sign-ins?
You can watch the whole thing if you want to know the nuts and bolts of how it works. For most people, just knowing that this feature is coming should be enough. When you start seeing notifications on websites this fall offering you the option, give it a shot.