iPhones and iPads finally receive key-based protection against account takeovers
In recent years, iPhone and iPad users have been relegated to second-class citizenship when it comes to a cross-industry protocol that promises to bring effective multi-factor authentication to the masses. While Android, Windows, Mac, and Linux users had an easy way to use the new standard when logging in to Google, GitHub, and dozens of other sites, the process on iPhones and iPads was painful or non-existent.
Apple’s restraint was not only bad for iPhone and iPad users looking for the most effective way to thwart the growing scourge of account takeovers. The hesitation was also bad for everyone else. With one of the most important computer platforms that WebAuthn abandons, the new standard has little chance of gaining critical mass.
And that was a pity. WebAuthn and its U2F predecessor are perhaps the most effective protection against the growing amount of account takeovers. They require that a person log in with a password to also show a pre-registered fingerprint, face scan or physical security key. The installation makes most existing types of account takeover impossible because they usually only rely on theft of a password.
Developed by the cross-industry FIDO alliance and adopted by the World Wide Web consortium in March, WebAuthn has no shortage of supporters. It has native support in Windows, Android, Chrome, Firefox, Opera and Brave. Despite the support, WebAuthn has received little more than a niche status so far, partly due to the lack of support from the industry’s most important platform.
Now the standard finally has the potential to flourish in the ubiquitous technology that many hoped it would become. This is due to last week’s release of iOS and iPadOS 13.3, which offer native support for the standard for the first time.
More about that later. First a timeline of WebAuthn and some background information.
At the beginning
The portable security keys at the heart of the U2F standard have prepared the world for a new, superior form of MFA. When the security key was connected to a USB slot or slid over an NFC reader, it sent “cryptographic statements” that were unique to that key. Unlike the one-time passwords used by MFA authenticator apps, the statements sent by these keys could not be copied or phishing or replayed.
U2F-based authentication was also more secure than one-time passwords because, unlike the authenticator apps running on phones, the security keys could not be hacked. It was also more reliable because keys did not need access to an internet connection. A two-year study of more than 50,000 Google employees a few years ago concluded that cryptographically based security keys beat smartphones and most other forms of two-factor authentication.
U2F in turn made way for WebAuthn. The new standard still allows cryptographic keys that connect via USB or NFC. With this, users can also offer an additional authentication factor with the help of fingerprint readers or face scanners that are built into smartphones, laptops and other types of hardware that the user already has.
An abundance of app, OS and site developers have quickly built WebAuthn into their authentication flows. The result: even when a password was uncovered by a user error or a database breach, accounts remained protected unless a hacker with the password crossed the very high bar to also obtain the key, fingerprint, or face scan.
While Google, Microsoft, key maker Yubico and other WebAuthn partners put their support behind the new protocol, Apple remained firmly on the sidelines. The lack of support in macOS was not ideal, but third-party support from the Chrome and Firefox browsers gave users an easy way to use security keys. Apple’s inactivity was much more problematic for iPhone and iPad users. Not only did the company not offer standard support for the standard, it was also slow to provide access to near-field communication, a wireless communication channel that allows security keys to easily communicate with iPhones.
Poor usability and questionable security
Initially, the only way iPhones and iPads could use WebAuthn was with a Bluetooth-compatible dongle such as the Titan security key from Google. It worked – technically – but it brought with it limitations that break the deal. First, it only worked with Google properties. So far a ubiquitous standard. Another dealbreaker – at least for most people – was the installation of a special app and linking the keys to an iPhone or iPad at best cumbersome.
Then in May Google revealed a vulnerability in the Bluetooth Titan. That vulnerability made it possible for nearby hackers to obtain the authentication signal while it was being sent to an iPhone or other device. The resulting recall action confirmed the conviction of many security professionals that Bluetooth lacked the protection needed for MFA and other sensitive functions. The difficulty of using Bluetooth-based dongles, combined with the perception that they were less secure, made them a non-starter for most users.
In September, engineers from authentication key maker Yubikey built a developer kit with third-party programming interfaces for WebAuthn. The effort was brave, but it was also kludgey, so much so that the young Brave browser was the only one to use it. Even worse, Apple’s steadfast resistance to opening third-party access to NFC meant that third-party support was limited to physical security keys connected via the Lightning port or Bluetooth.
NFC connections and biometric data were not available. Worst of all, the support didn’t work with Google, Facebook, Twitter, and most other major sites.