X

Safari 14 will let you log in to websites with your face or finger

It's an important step on the path to dumping passwords altogether.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science. Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
Stephen Shankland
3 min read
Apple's Safari icon on an iPhone screen
Stephen Shankland/CNET

With Safari on iOS 14MacOS Big Sur and iPadOS 14, you'll be able to log in to websites using Apple's Face ID and Touch ID biometric authentication. That's a powerful endorsement for technology called FIDO -- Fast Identity Online -- that's paving the way to a future without passwords.

Apple disclosed the biometric authentication support in Safari on Wednesday at WWDC, its annual developers conference. "It's both much faster and more secure," Apple Safari programmer Jiewen Tan said during one of the WWDC video sessions Apple offered after the coronavirus pandemic pushed the conference online.

The change is a big boost for browser technology called Web Authentication, aka WebAuthn, developed by the FIDO consortium allies. Apple's not the first supporter -- it's already in Mozilla Firefox, Google Chrome and Microsoft Edge, and works with Windows Hello facial recognition and Android fingerprint authentication.

But with Apple's clout in the smartphone market and its focus on making technology easy for everyday folks to use, the company's support sends a strong signal to both website developers and ordinary folks, telling them in effect, "Come on in, the water's fine." That could be a big step toward dumping passwords altogether.

And it's time to fix passwords. Because we reuse them so much, hackers often can use one single password obtained through a data breach to mount assaults on many other websites, too. Passwords are hard to make up, hard to remember and hard to type, especially on phone screens. Password managers are complex and often suffer compatibility hiccups.

Fixing passwords, then replacing passwords

FIDO technology shores up the numerous weaknesses of password technology and enables authentication with no passwords at all. It standardizes how apps and websites can take advantage of hardware security keys and biometric authentication.

That means bolstering passwords with two-factor authentication systems that are more secure than SMS codes that can be filched. And it enables two-factor authentication with no passwords at all. Your first authentication is possessing a registered device -- a phone or PC or security key. Your second is the biometric check -- face or fingerprint.

The clever thing about the approach is it reduces two-factor authentication to a single step. That's a lot faster than retrieving a signin code from a text message, email or authenticator app.

To move to FIDO login, you'll have to jump through a hoop once to register your device, like a Mac or iPhone.

Apple recommends websites embrace FIDO login technology. Here's what enrollment could look like: a user logs on as usual, sees a prompt to enable face or fingerprint logon, then grants permission. Next time they log on, it'll go straight to face or fingerprint authentication.

Apple; animation by Stephen Shankland/CNET

Blocking phishing

One big FIDO benefit is that it blocks phishing, since login credentials are locked to the real version of a website. Another benefit is that, for an online service that dumps passwords, there are no passwords for hackers to steal.

Indeed, when Google switched its employees to hardware security keys and FIDO technology to bolster authentication, successful phishing attacks dropped to zero, the company said.

Apple's Tan doesn't recommend websites dump passwords, at least yet. Old-school username-password login is a fallback for people who lose their phone or forget their laptop.

But one of the main FIDO ideas is eventually dumping passwords. Getting website developers to use it is a crucial step on that path.

Watch this: iOS 14 hands-on preview: Trying out the developers' beta of the new iPhone OS