I’ve argued for years that moving beyond passwords is something that urgently needs to happen from both a security and usability perspective.
The technical framework to make it possible to abandon passwords – WebAuthn – was agreed back in 2018, and Apple added support for it in Safari last year. Adoption is as yet close to zero, but all that looks set to change, thanks to the latest move by Apple …
What are the problems with passwords?
Where do we begin?
First, non-techies frequently re-use passwords across websites, meaning that their security is only as good as the least-secure service they use. As soon as any website is compromised, and login credentials obtained, the first thing hackers do is grab the database and fire those logins at all the most popular sites and services – from Facebook to online banks. So a breach of a single site can mean people’s accounts get pwned across a vast number of sites.
Two-factor authentication helps, but most people won’t use it unless it’s mandatory, and very often the one-time codes are sent via SMS, which is itself a very insecure system for both technical and human reasons.
Second, phishing is a massive problem. Hackers send out emails purporting to be from a particular website, inviting people to log in to what is sometimes an extremely convincing replica of the real site. Urgency is created with a range of ploys, from fake transactions that need to be cancelled to avoid charges, to claims that people are about to be locked out of their email unless they take action. Apple IDs are a very popular phishing target because they are so valuable on the dark web.
Third, passwords aren’t great even for security-savvy techies. Anyone who uses a password manager to ensure strong, unique logins has experienced the pain of a sub-domain not being recognized, or a password manager being unable to unlock a website but not the app. In that case, logging in can involve opening your password manager, doing a search for the platform, and either pasting in, or manually entering, the password.
How is moving beyond passwords possible?
Currently, the most common way to login to a website, service, or app is with a username and a password. The username tells the service who you are, and the password confirms it’s really you. What WebAuthn does is offer an alternative way to confirm your identity.
Right now, many apps let you login with Face ID or Touch ID, but that’s merely a secondary login method to your password. What WebAuthn does is allow your device to act as a replacement for a password.
Think of making an Apple Pay transaction. The payment terminal asks for two things: a (virtual) card number, and proof that you are the cardholder. Your Apple device provides both things, without the involvement of any password.
Say you’re using an iPhone with Face ID. The iPhone tells the payment terminal, “Here’s the card number, and you don’t need to bother asking for a PIN or signature because I’ve verified the cardholder’s identify via Face ID.” The payment terminal responds with, “Oh yes, I can see that both the bank and cardholder have registered this card in Apple Pay, and I understand you’ve used Face ID to confirm cardholder authorization for this transaction, so we’re all good, thanks.”
Essentially, the payment terminal is trusting your Apple device’s biometrics to do the “confirming it’s really you” part, so no password is needed. (Apple Watch works slightly differently, in that a passcode was used to confirm your identity when you put on the Watch, and the device confirms to the payment terminal that it has been continuously on your wrist since then.)
WebAuthn takes exactly the same approach with websites and apps. It delegates the identity check to your Apple device, on the basis that the device has confirmed that biometric authentication was successful.
Apple has just allowed developers to begin testing use of WebAuthn on Apple devices.
Why is Apple’s move a big deal?
Two reasons. First, developers hate passwords as much as any of us. Storing a password database is a risk for them, as it opens up the possibility of a hacker targeting it, and they have to implement secure password-recovery systems for users who forget theirs. Far better to simply delegate the identity-confirmation task to the user’s device. So developers are very motivated to implement this, which creates momentum for the standard.
Second, where Apple leads, others follow. Apple is rarely the first company to adopt any kind of new technology, but it is a hugely influential popularizer of new tech. Once Apple does it, users know it’s safe, and that creates demand for other companies to implement it.
So Apple pushing this now will greatly accelerate adoption of WebAuthn – and hastens the day when passwords can finally be given their long-overdue retirement.