Vratislav Holub Account security has improved significantly over the past few years. Today, it is often necessary to have a certain combination of uppercase and lowercase letters, numbers and special characters as a password, which also complements two-factor authentication. But as it turns out now, Apple is going to change these traditional ways and strengthen security in general even more. During the WWDC21 developer conference, he announced a much safer and simpler way. It combines passwordless authentication using WebAuthn and Face/Touch ID using Keychain on iCloud.
iOS 15 brings a number of improvements to FaceTime:
Gallery
This innovation was easily reflected in the new iOS 15 and macOS Monterey operating systems, but it is not available for regular use. Such a large-scale change could undoubtedly be called a long shot, and now it's up to the developers to play with it. Like, for example, Google or Microsoft, Apple is embarking on an interesting style of security, which should be as simple and secure as possible. In such a case, the key standard is WebAuthn in combination with biometric authentication. This theoretically prevents phishing problems.
All this news was introduced during the presentation Move beyond password at WWDC21, where Garret Davidson explained how the aforementioned WebAuthn standard works and how it works with public and private keys. In this case, classic passwords are not used, but the aforementioned keys. In the case of the current procedure, security works in the style that you enter your login name and password. The password is then taken and created from it through the cryptographic hash function used hash. The latter is then usually further enriched by the so-called salt, resulting in a long test string that cannot be decrypted to its original form in the same way. The problem with this is that there is so-called secret sharing. Not only you have to protect that, but also the server.
And we should get rid of exactly this described procedure over time. The biggest advantage of WebAuthn is that it relies on a pair of keys, namely public and private. In this case, your device creates this unique pair at the same time when creating an account on the server. The public key is then simply public and can be shared with anyone, for example with the server. The private key is then only for you (it is never shared) and is stored in a sufficiently secure form directly on the device itself. This change could theoretically make it possible to log in by simply entering a username and then confirming the entire process with a face or fingerprint scan.
Apple's CES 2019 ad in Las Vegas parodies the city's iconic catchphrase:
Gallery
As mentioned above, this is a long shot and we will have to wait a while for this authentication method to be introduced. Thanks to the benefits of WebAuthn and the end-to-end encryption of the well-known Keychain on iCloud, it should be the most secure method to date, which in several respects surpasses all methods used so far, including two-factor authentication.
