Apple killing off web passwords? Safari trials WebAuthn logins on macOS

Safari could join Firefox, Chrome, and Edge support for Web Authentication.
Written by Liam Tung, Contributing Writer on

Apple's WebKit team have added 'experimental support' for Web Authentication, the standard for enabling website logins by plugging a USB security key into a computer.

Web Authentication, or WebAuthn, is supported at different levels by Mozilla Firefox, Google Chrome, and Microsoft Edge.

In the latest version of Windows 10, version 1809, Windows users can use Edge to sign in to Office 365, Outlook.com, Skype, and OneDrive with a FIDO2 USB security key, such as Yubico's YubiKey 5 or Security Key.

WebAuthn works with a protocol called Client to Authenticator Protocol (CTAP), which FIDO keys rely on to generate private and public cryptographic key pairs for authenticating to a website. CTAP2 is also called FIDO2.

"Added Web Authentication as an experimental feature with support for USB-based CTAP2 devices," says the WebKit team in release notes for Safari Technology Preview release 71, which also introduces dark-mode support.

While the preview suggests Safari will at some point support WebAuthn, as CNET notes, experimental support doesn't guarantee that will happen.

Though several Apple employees are on the WebAuthn working group, it hasn't been certain whether Apple would join Google, Microsoft, and Mozilla in supporting the standard.

Besides Microsoft websites, the standard is supported by Dropbox, GitHub, Google, Facebook and others.

SEE: Apple iOS 12: An insider's guide (free PDF)

While WebAuthn does enable passwordless logins, it's also being used to streamline and improve two-factor authentication.

Google, for example, requires users of its Titan Security Keys, or other FIDO2 keys, to add them to its two-step verification process for Google Accounts.

The standard could reduce the dangers of users picking poor passwords and having them compromised in a breach or phishing attack.

An attacker armed with a correct password would also require physical access to the security key. The security key also offers better security than one-time-passcodes since these can be intercepted.

Previous and related coverage

Windows 10: Now it's tap or look to sign in to Outlook, Office 365, OneDrive, Skype

Microsoft takes another big step in its mission for password-less sign-in for Windows 10.

Windows 10 moves closer to killing off passwords with Edge WebAuthn logins

Windows Hello biometric login could soon be the key to all your favorite websites.

We're killing off passwords. But are we ready for what will replace them?

Getting rid of passwords is a good idea, but we need to think through the consequences of the most likely replacement, too.

Chrome, Edge, Firefox user? Coming your way: New spec that cuts out passwords

Browser makers take an important step in reducing the need for passwords and all the security threats they bring.

Google pledges to foil phishing attacks with new Titan Security Key

If you trust Google, this is the second-factor security key for you.

Firefox 60 lands: It's world's first browser to give you password-free logins, says Mozilla

Firefox becomes first browser to support the Web Authentication API, taking the world closer to no-password logins.

Windows 10: We're going to kill off passwords and here's how, says Microsoft

Microsoft wants to banish 'inconvenient, insecure, and expensive' passwords. So what's going to replace them?

Microsoft: This Azure password-banning tool will help kill off bad 'P@$$w0rd' habits TechRepublic

Admins can now significantly reduce the risk of accounts being compromised by password-spraying attacks.

Safari tests USB security key support to help fix our password problemsCNET

Apple's browser is catching up to Firefox, Chrome and Edge with better sign-on technology.

Editorial standards