Apple joins FIDO Alliance, commits to getting rid of passwords

Because I work with many different companies, I end up using just about everyone’s authentication methods but the default remains userid/password. Standardising on something else that’s a) actually secure; and b) not a pain to remember/stored securely/findable when I need it is a great idea…:

[…] “Passwords are like the cockroaches of the internet and companies have been trying to kill them off for years,” said Merritt Maxim, Forrester Research principal security analyst in a CNBC interview. WebAuth, is a specification written by the W3C and FIDO. Its application programming interface (API) allows servers to register and authenticate users using public key cryptography instead of a password.

But Apple has always stayed a step away from the FIDO Alliance’s efforts to get rid of them. Recently, that’s been changing.

In 2018, Apple’s WebKit browser team added ‘experimental support’ for WebAuthn. By December 2019. Apple adds native support for FIDO-compliant security keys, like the YubiKey, using the WebAuthn standard over near-field communication (NFC), USB, or Lightning in iOS 13.3.

This works because WebAuthn enables users to register and authenticate on websites or mobile apps using a public key cryptographic “authenticator” instead of a password. This can be a hardware security key, like those from Yubico; a biometric ID derived from your PC or smartphone’s fingerprint sensor, or a device-based authentication program.


Original Article