In recent years, iPhone and iPad users have been relegated to second-class citizens when it comes to a cross-industry protocol that promises to bring effective multi-factor authentication to the masses. While Android, Windows, Mac, and Linux users had an easy way to use the new standard when logging in to Google, GitHub, and dozens of other sites, the process on iPhones and iPads was painful or non-existent.
Apple’s restraint was not only bad for iPhone and iPad users looking for the most effective way to thwart the growing scourge of account takeovers. The hesitation was also bad for everyone else. With one of the most important computer platforms that WebAuthn abandons, the new standard has little chance of gaining critical mass.
And that was a pity. WebAuthn and its U2F predecessor are perhaps the most effective protection against the growing amount of account takeovers. They require that a person log in with a password to also show a pre-registered fingerprint, face scan or physical security key. The installation makes most existing types of account takeover impossible because they usually only rely on theft of a password.
Developed by the cross-industry FIDO alliance and adopted by the World Wide Web consortium in March, WebAuthn has no shortage of supporters. It has native support in Windows, Android, Chrome, Firefox, Opera and Brave. Despite the support, WebAuthn has received little more than a niche status so far, partly due to the lack of support from the industry’s most important platform.
Now the standard finally has the potential to flourish in the ubiquitous technology that many hoped it would become. This is due to last week’s release of iOS and iPadOS 13.3, which offer native support for the standard for the first time.
More about that later. First a timeline of WebAuthn and some background information.
At the beginning
The portable security keys at the heart of the U2F standard have prepared the world for a new, superior form of MFA. When the security key was connected to a USB slot or slid over an NFC reader, it sent “cryptographic statements” that were unique to that key. Unlike the one-time passwords used by MFA authenticator apps, the statements sent by these keys could not be copied or phishing or replayed.
U2F-based authentication was also more secure than one-time passwords because, unlike the authenticator apps running on phones, the security keys could not be hacked. It was also more reliable because keys did not need access to an internet connection. A two-year study of more than 50,000 Google employees a few years ago concluded that cryptographically based security keys beat smartphones and most other forms of two-factor authentication.
U2F in turn made way for WebAuthn. The new standard still allows cryptographic keys that connect via USB or NFC. With this, users can also offer an additional authentication factor with the help of fingerprint readers or face scanners that are built into smartphones, laptops and other types of hardware that the user already has.
An abundance of app, OS and site developers have quickly built WebAuthn into their authentication flows. The result: even when a password was uncovered by a user error or a database breach, accounts remained protected unless a hacker with the password crossed the very high bar to also obtain the key, fingerprint, or face scan.
While Google, Microsoft, key maker Yubico and other WebAuthn partners put their support behind the new protocol, Apple remained firmly on the sidelines. The lack of support in macOS was not ideal, but third-party support from the Chrome and Firefox browsers gave users an easy way to use security keys. Apple’s inactivity was much more problematic for iPhone and iPad users. Not only did the company not offer standard support for the standard, it was also slow to provide access to near-field communication, a wireless communication channel that allows security keys to easily communicate with iPhones.
Poor usability and questionable security
Initially, the only way iPhones and iPads could use WebAuthn was with a Bluetooth-compatible dongle such as the Titan security key from Google. It worked – technically – but it brought with it limitations that break the deal. First, it only worked with Google properties. So far a ubiquitous standard. Another dealbreaker – at least for most people – was the installation of a special app and linking the keys to an iPhone or iPad at best cumbersome.
Then in May Google revealed a vulnerability in the Bluetooth Titan. That vulnerability made it possible for nearby hackers to obtain the authentication signal while it was being sent to an iPhone or other device. The resulting recall confirmed the conviction of many security professionals that Bluetooth lacked the required security for MFA and other sensitive functions. The difficulty of using Bluetooth-based dongles, combined with the perception that they were less secure, made them a non-starter for most users.
In September, engineers from authentication key maker Yubikey built a developer kit with third-party programming interfaces for WebAuthn. The effort was brave, but it was also kludgey, so much so that the young Brave browser was the only one to use it. Even worse, Apple’s steadfast resistance to opening third-party access to NFC meant that third-party support was limited to physical security keys connected via the Lightning port or Bluetooth.
NFC connections and biometric data were not available. Worst of all, the support didn’t work with Google, Facebook, Twitter, and most other major sites.
Apple is participating
Apple’s tradition of building from the inside – and the aversion to risky new technologies – caused the company to accept WebAuthn slowly. Apple has always been better or worse than many of its competitors. While most hardware makers choose USB ports, Apple developers have a strong preference for Lightning connectors. Apple kicked Flash at the sidewalk while the rest of the industry still relied on it as a way to provide animation. Similarly, as the Chrome, Firefox, Opera and Brave browsers and the Windows, Android and Linux operating systems have declared WebAuthn as the future of MFA – Apple was in no hurry to embrace the standard.
The absence of WebAuthn in iOS and ipadOS not only robbed users of the most effective form of MFA – it also hampered wider industry acceptance of the standard.
With version 13.3 for iOS and iPadOS, Apple has finally integrated support directly into the devices. Safari is currently the only browser that uses native support, but it’s only a matter of time until browser and app makers follow this example using the updated SFSafariViewController and ASWebAuthenticationSession connectors available in iOS or iPadOS. Yubico has already started selling keys that connect via Lightning, USB or NFC. (Apple has also added WebAuthn support to Safari 13 for Mac.)
There are still a few shortcomings in these new offers. For the time being, Apple’s support does not extend to FaceID or TouchID. This means that users as a second factor must only rely on a physical key. The other disadvantage is that some very eye-catching sites still have to make their authentication systems compatible with native support in iOS and iPadOS. For example, iPhone and iPad users who log on to Gmail still have to use the kludgey Bluetooth tokens or an equally cumbersome Android MFA option, both of which rely on a third-party app to work.
Although there are limitations to the WebAuthn support introduced in iOS, iPadOS and (to a certain extent) macOS, the additions represent one of the most important developments in MFA in recent years. Because iPhone and iPad have been largely omitted in recent years, it was difficult for site and app developers to justify the cost of integrating WebAuthn into their authentication stream. Apple’s move not only provides important validation, but also makes it much easier and cheaper for app developers who build for iPhones and iPads.
Apple’s restraint was a pity. WebAuthn and its U2F predecessor have emerged as one of the most promising ways to prevent account takeovers, such as the Gmail compromises that hit John Podesta and other Hillary Clinton campaign officials.
It is also a very effective measure against the growing threat of credential filling, an attack on an account that uses data uncovered in a single breach to compromise new accounts with the same password. Even when attackers obtain the password of a target, they still cannot get into it unless they also obtain the physical key of the target or when biometric data, the fingerprint, or the face image of the target are used.
In the end, iPhone and iPad users lagged behind with MFA options that were inferior to those available to users on competing platforms. Of course, logging in to Apple offered robust protection, but the sites and apps with which it worked are limited. Another shortcoming: signing up did not work with non-Apple products or sites such as Gmail, Facebook and GitHub. And as already explained, there were no WebAuthn options or were far behind what was available on other platforms.
Tuesday’s release of iOS 13.3 and iPadOS 13.3 reduces the gap considerably. For the first time, the release offers native support that allows developers of browsers and other apps to easily incorporate WebAuthn authentication into their products. The update includes a version of Safari with which security keys can be connected via NFC or USB-C (for users of both sizes from 2018 and later iPad Pros) and Lightning. The same connections are possible with every app that uses the h SFSafariViewController and ASWebAuthenticationSession
connectors available in iOS or iPadOS.
There are still some limitations. Unlike Android and Windows devices, iPhones and iPads cannot use Face ID for authentication and Macs cannot use Touch ID. The lack of biometric data may prevent some Apple users from signing up for WebAuthn MFA because they must have an authentication device with them when a second factor is required.
A short-term limitation is that some websites – especially Gmail and other Google properties – do not currently work with Apple’s native support. It may take a while for Google engineers to merge their Bluetooth system for iPhones and iPads with the native support that Apple has rolled out this week. So for now, iPhone and iPad users are stuck with the clumsy Bluetooth dongles when they use MFA to log in to Google sites.
The wait is over
Apple’s late access to WebAuthn is not particularly surprising. Company designers have never been the first users of new technologies. Instead, they spend more time than their competitors testing security and usability. And with a relatively small number of end users currently using WebAuthn, it was easy to see why Apple might have given priority to other functions.
In any case, waiting for adoption iPhone and iPad WebAuthn. For end users who have an iPhone with NFC, I recommend Yubico’s Yubikey 5 NFC or Security Key NFC. Devices without an NFC can use a YubiKey 5Ci. In addition to working with iPhones or iPads, all three of these keys work with computers by connecting an additional USB-C or USB-A connector.
Once an iPhone, iPad or other device that has been verified via WebAuthn, it rarely requires a follow-up validation. Normally, only entering an access code or using TouchID or FaceID is sufficient. But in the event that a database breach or other accident exposes your password, WebAuthn ensures that your account remains secure.