With iOS 14 and iPadOS 14, Apple is further expanding the system’s support for the FIDO2 web authentication standard. In the future, iPhones, iPads and iPods will act as security keys for authentication on FIDO2-enabled web services.
FIDO2 is a standard of the FIDO alliance and the W3C (Fast Identity Online) that implements a strong authentication solution on the web. Secondary factors such as biometric features, hardware keys, smart cards or TPM modules (Trusted Platform Module) are used to enable strong, passwordless multi-factor authentication.
Unlike the other platform operators Google and Microsoft, Apple has long been the big FIDO laggard, and it wasn’t until iOS 13 that support for FIDO2-compatible NFC, USB and Lightning security keys came on websites and for app developers. With the new operating systems to be released in autumn, Apple is now going one step further. Thanks to FIDO2 support, users should be able to log in to online services without entering a password – fingerprints (Touch ID) or face recognition (Face ID) are sufficient for logging in. What many iOS users are already used to in banking apps is now finding its way onto the Internet. The process is basically a login process that is protected by two factors: the iOS device you own and your own identity, which is validated by biometric features (finger / face). To do this, web and online services must integrate the login via WebAuthn. This is the basis for a convenient and secure login for the user.
From a technical point of view, FIDO2 is a so-called challenge-response procedure. This can be used for multi-factor authentication (MFA), the asymmetric encryption method and factors such as biometric features, hardware tokens, smart cards, embedded security elements or TPM modules. If an online service uses this procedure, the registration proceeds as follows:
Communication between server and browser is established via the WebAuthn protocol, while the CTAP protocol ensures communication between browser and authenticator.
The online service issues a so-called challenge to the logging-on browser. This forwards the challenge to the authenticator used. Now the authenticator asks for a “knowledge” and a “possession component”. With iOS / iPadOS 14, these components result from biometrics (FaceID, TouchID) and the SecureEnclave (the device itself).
If the challenge is successful, a digital signature is generated and sent back.
The online service checks the signature and authenticates the browser if the check is successful.
Since Apple became a board member of the FIDO Alliance, the company has been committed to secure authentication even more. The users also benefit from this, because although Apple is not always the fastest in introducing technologies, its support gives most services the necessary momentum. With the implementation, Apple fully lives up to the goal of the process of making logging in more secure and at the same time simpler compared to password-based authentication. For the sake of completeness, it should be mentioned that the new macOS will also contain this feature and thus Mac systems can also act as a security key. (mb)