WEBAUTHN –
With WebAuthn native to iOS and iPadOS, cross-industry MFA spec is ready to soar.
Dan Goodin –Dec 533,
Apple’s reticence wasn’t just bad for iPhone and iPad users looking for the most effective way to thwart the growing scourge of account takeovers. The hesitation was bad for everyone else, too. With one of the most important computing platforms giving the cold shoulder toWebAuthn, the fledgling standard had little chance of gaining critical mass.And that was unfortunate. WebAuthn and its U2F predecessor are arguably the most effective protection against the growing rash of account takeovers. They require a person logging in with a password to also present a pre-enrolled fingerprint, facial scan, or physical security key. The setup makes most existing types of account takeovers impossible, since they typically rely solely on theft of a password.
Now, the standard finally has the potential to blossom into the ubiquitous technology many have hoped it would become. That’s because oflast week’s release of iOS and iPadOS .3, which provide native support for the standard for the first time.More about that later. First, a timeline of WebAuthn and some background.In the beginningThe handheld security keys at the heart of the U2F standard helped prepare the world for a new, superior form of MFA . When plugged into a USB slot or slid over an NFC reader, the security key transmitted “cryptographic assertions” that were unique to that key. Unlike the one-time passwords used by MFA authenticator apps, the assertions transmitted by these keys could not be copied or phished or replayed.U2F-based authentication was also more secure than one-time passwords because, unlike the authenticator apps running on phones, the security keys couldn’t be hacked. It was also more reliable since keys did not need to access an Internet connection. A two-year study of more than (******************************************************, Google employees a few years ago that cryptographically based Security Keys
.U2F, in turn, gave way to WebAuthn. The new standard still allows cryptographic keys that connect by USB or NFC. It also allows users to provide an additional factor of authentication using fingerprint readers or facial scanners built into smartphones, laptops, and other types of hardware the user already owns.A plethora of app, OS, and site developers soon built WebAuthn into their authentication flows. The result: even when a password was exposed through user error or a database breach, accounts remained protected unless a hacker with the password passed the very high bar of also obtaining the key, fingerprint, or facial scan.As Google, Microsoft, key maker Yubico, and other WebAuthn partners threw their support behind the new protocol, Apple remained firmly on the sidelines. The lack of support in macOS wasn’t ideal, but third-party support from the Chrome and Firefox browsers still gave users an easy way to use security keys. Apple’s inaction was much more problematic for iPhone and iPad users. Not only did the company provide no native support for the standard, it was also slow to allow access to
near-field communication
, a wireless communication channel that makes it easy for security keys to communicate with iPhones.Poor usability and questionable security
Initially, the only way iPhones and iPads could use WebAuthn was with a Bluetooth-enabled dongle like Google’s Titan security key
. It worked — technically — but it came with deal-breaking limitations. For one, it worked solely with Google properties. So much for a ubiquitous standard. Another dealbreaker — for most people, anyway — the installation of a special app and the process of pairing the keys to an iPhone or iPad was cumbersome at best.Then in May, Google disclosed a vulnerability in the Bluetooth Titan. That vulnerability made it possible for nearby hackers to obtain the authentication signalas it was transmitted to an iPhone or other device. The resulting recall confirmed many security professionals’ belief that Bluetooth lacked the security needed for MFA and other sensitive functions. The difficulty of using Bluetooth-based dongles, combined with the perception that they were less secure, made them a non-starter for most users.
(NFC) meant that the third-party support was limited to physical security keys that connected through the Lightning port or Bluetooth.NFC connections and biometrics weren’t available. Worst of all, the support did work with Google, Facebook, Twitter, and most other big sites. Page: (1) ********************************** (2) ****************************** (Next) ********************************** (→) ************
(**************************, ************************************************************************************************************ (Read More) ************************************** (****************************************
GIPHY App Key not set. Please check settings