Enterprise users can now wrap a new layer of security around their web services, thanks to Apple’s introduction of support for USB security keys in Safari 13.0.1.
Dongles aren’t a terribly convenient security protection for most people, but government, military and regulated industries are always searching out new ways to secure themselves and their data.
FIDO2-compliant USB security keys – such as those made by Yubico – add a layer of security to the verification process: Not only must users enter passwords and potentially use biometric authentication such as Touch/Face ID, but they must also insert and authorize a USB security key.
(Many enterprises may add geolocation to this mix.)
The idea is that not only must a user confirm they are using traditional protections, but must also prove themselves with possession of the hardware key and may also be required to access a site or service from a specific location or even on specific network(s).
Security keys for Macs and iPhones
Yubico introduced the YubiKey 5Ci for iOS devices earlier this year, working in partnership with password management providers including 1Password, Bitwarden, Dashlane, Idaptive, LastPass and Okta. There are also high-profile services that support these authentication technologies, such as GitHub, and alternative hardware key providers, including Titan.
This isn’t the only security key enhancement Apple has offered up in recent weeks. Earlier this month, Apple introduced new functionality that allows the full range of YubiKey authentication on iOS via near field communication (NFC).
In case it’s not clear, provision of NFC support means users can use a hardware-based authentication key on their iPhone using contactless tech, so you don’t need to plug the key in.
(One big advantage of NFC is that it minimizes any existing risk that a USB-based key can be infected with malware that can then installed on the host machine.)
How enterprises can use these
This conceivably also means enterprise IT can create layers of hardware-based protection for devices (such as iPhones) that employees already have with them. There are also implications for Apple’s overall push to turn the Apple Watch into a platform for keyless entry systems, as it's being used around U.S. colleges already.
Apple started testing such enterprise-class authentication technologies in 2018, when it began working with WebAuthn in Safari Technology Preview Release 71. WebAuthn is the credential management API enterprise developers can weave inside their enterprise apps. It became an official web standard in 2019.
When they do, users can authenticate to access enterprise services without the need to save passwords on any server, as this is handled by the hardware key.
Are passwords heading into history?
We know hundreds of thousands of people use incredibly weak passwords such as 1234, 1111, and other inadequate protections. The tech industry has engaged in multiple responses to this.
Apple,for example, has created its own password manager, password recommendation systems and systems that warn users when weak passwords are deployed. It also provides biometric protections such as Face ID and Touch ID.
The problem with weak passwords is that they leave people vulnerable to attack. This is bad in isolation, but such is the nature of connected infrastructure that overall security is frequently only as strong as the weakest link in the chain, which is usually the password.
“Passwords are bad for the planet. They’re bad for people. They’re the easiest way for attackers to get in, and in the case of account takeovers, they’re even a way to force people out,” Rob Lefferts, vice president of security at Microsoft, told CNBC last year.
Fundamentally, most systems – including Apple’s – do eventually require at least one password in the chain. In Apple’s case, these are the passcodes for your Apple ID and your device-specific passcodes. You need these to authenticate biometric access.
Given the need for human interaction at some point in the password chain, it makes sense that every user should be educated and empowered to use a complex alphanumeric passcode to protect their primary account data. At the same time, support for hardware-based encryption in Safari may be a good step toward a password-free future – at least for enterprise users.
Safari 13.0.1 also introduces other privacy and security improvements, an updated start page and weak password warnings. And it adds the ability to enable Picture in Picture from the audio button in a tab.
The update is recommended for all users and is available in the Software Update section of the About this Mac menu item.