Monday, October 19, 2020

Face ID and Touch ID for the Web

WWDC 2020 Session 10670:

But this time, when I sign in, rather than go through a password and SMS 2FA flow, instead I just Face ID, like that. Boom. I’m signed in.


Safari will only allow public key credentials created by this API to be used within the website they were created, and the credentials can never be exported out from the authenticator they were created as well. This means that once a public key credential has been provisioned, there is no way for a user to accidentally divulge it to another party.


There are two important properties that Apple builds into the authenticator. The first one, as we saw, is the Face ID and Touch ID, which is used to verify users’ identity. The second one is Secure Enclave, which is a processor that manages all the private keys and guarantees that they cannot leave the device. By combining both, each sign-in performed with the Face ID or Touch ID is essentially a multi-factor authentication. The response the device sends back to the websites encapsulates two factors: something you have, the iPhone, and something you are, the biometrics. And the sign-in only takes a single tap.

Jiewen Tan (tweet):

What follows is the recommended way to invoke Face ID and Touch ID for the web.


Attestation is an optional feature which provides websites a cryptographic proof of the authenticator’s provenance such that websites that are restricted by special regulations can make a trust decision. Face ID and Touch ID for the web offers Apple Anonymous Attestation. Once verified, this attestation guarantees that an authentic Apple device performed the WebAuthn registration ceremony, but it does not guarantee the operating system running on that device is untampered.


Comments RSS · Twitter

Leave a Comment