Enterprise users can now wrap a new layer of security around their web services, thanks to Apple’s introduction of support for USB security keys in Safari 13.0.1.
Enterprise class security
Dongles aren’t a terribly convenient security protection for most people, but government, military and regulated industries are always searching out new ways to secure themselves, and their data.
FIDO2-compliant USB security keys – such as those made by Yubico – add a layer of security to the verification process:
Not only must users enter passwords and potentially use biometric authentication, such as Touch/Face ID, but they must also insert and authorize a USB security key.
(Many enterprises may add geolocation to this mix).
The idea is that not only must a user confirm who they are using traditional protections, but must also prove themselves with possession of the hardware key and may also be required to be accessing a site or service from a specific location, or even on specific network(s).
Security keys for Macs and iPhones
Yubico introduced the YubiKey 5Ci for iOS devices earlier this year, working in partnership with password management providers including 1Password, Bitwarden, Dashlane, Idaptive, LastPass, and Okta.
There are also high-profile services that support these authentication technologies, such as GitHub and alternative hardware key providers, including Titan.
This isn’t the only security key enhancement Apple has applied in recent weeks.
Earlier this month, Apple introduced new functionality that allows the full range of YubiKey authentication on iOS via near field communication (NFC).
In case it’s not clear, provision of NFC support means users can utilize a hardware-based authentication key on their iPhone using contactless tech, so you don’t need to plug the key in.
(One big advantage of NFC for this is that it minimizes any existing risk that a USB-based key can be infected with malware it can then install into the host machine.)
How enterprise can make use of these
This conceivably also mean enterprise IT can create layers of hardware-based protection that make use of devices (such as iPhones) employees already have with them.
This may also have implications on Apple’s overall push toward turning Apple Watch into a platform for keyless entry systems, as used around U.S. colleges at the present time.
Apple began testing such enterprise-class authentication technologies in 2018, when it began working with WebAuthn in Safari Technology Preview Release 71.
WebAuthn is the credential management API enterprise developers can weave inside their enterprise apps. It became an official web standard in 2019.
When they do, users can authenticate to access enterprise services without the need to save passwords on any server, as this is handled by the hardware key.
Are passwords heading into history?
We know hundreds of thousands of people use incredibly weak passwords such as 1234, 1111, and other inadequate protections.
The industry response has engaged in multiple responses to this.
Apple,for example, has created its own password manager, password recommendation systems and systems that warn users when weak passwords are deployed. It also provides biometric protections such as Face and Touch ID.
The problem with weak passwords is that they leave people vulnerable to attack.
This is bad in isolation but such is the nature of connected infrastructure that overall security is frequently only as strong as the weakest link in the chain, which is usually the password.
“Passwords are bad for the planet. They’re bad for people. They’re the easiest way for attackers to get in, and in the case of account takeovers, they’re even a way to force people out,” Rob Lefferts, vice president of security at Microsoft told CNBC last year.
Fundamentally, most systems – including Apple’s – do eventually require at least one password in the chain. In Apple’s case, these are the passcodes for your Apple ID and your device-specific passcodes. You need these to authenticate biometric access.
Given the need for human interaction at some point in the password chain, it makes sense that every user should be educated and empowered to use a complex alphanumeric passcode to protect their primary account data.
At the same time, support for hardware-based encryption in Safari may be a good step in the journey to a password-free future – at least for enterprise users.
Safari 13.0.1 also introduces otherl privacy and security improvements, an updated start page and weak password warnings. It introduces the ability to enable Picture in Picture from the audio button in a tab.
The update is recommended for all users and is available in the Software Update section of the About this Mac menu item.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.