iDevices finally get key-based protection against account takeovers

For the past couple years, iPhone and iPad users have been relegated second-class citizens when it comes to a cross-industry protocol that promises to bring effective multi-factor authentication to the masses. While Android, Windows, Mac and Linux users had an easy way to use the fledgling standard when logging into Google, GitHub and dozens of other sites, the process on iPhones and iPads was either painful or non-existent.

Apple’s reticence wasn’t just bad for iPhone and iPad users looking for the most effective way to thwart the growing scourge of account takeovers. The hesitation was bad for everyone else, too. With one of the most important computing platforms giving the cold shoulder to WebAuthn, the fledgling standard had little chance of gaining critical mass.

And that was unfortunate. WebAuthn and its U2F predecessor are arguably the most effective protection against the growing rash of account takeovers. They require a person logging in with a password to also present a pre-enrolled fingerprint, facial scan, or physical security key. The setup makes most existing types of account takeovers impossible, since they typically rely solely on theft of a password.

Developed by the cross-industry FIDO alliance and adopted by the World Wide Web consortium in March, WebAuthn has no shortage of supporters. It has native support in Windows, Android, Chrome, Firefox, Opera, and Brave. Despite the support, WebAuthn has gained little more than niche status to date, in part because of the lack of support from the industry’s most important platform.

Now, the standard finally has the potential to blossom into the ubiquitous technology many have hoped it would become. That’s because of last week’s release of iOS and iPadOS 13.3, which provide native support for the standard for the first time.

More about that later. First, a timeline of WebAuthn and some background.

In the beginning

The handheld security keys at the heart of the U2F standard helped prepare the world for a new, superior form of MFA. When plugged into a USB slot or slid over an NFC reader, the security key transmitted “cryptographic assertions” that were unique to that key. Unlike the one-time passwords used by MFA authenticator apps, the assertions transmitted by these keys couldn’t be copied or phished or replayed.

U2F-based authentication was also more secure than one-time passwords because, unlike the authenticator apps running on phones, the security keys couldn’t be hacked. It was also more reliable since keys didn’t need to access an Internet connection. A two-year study of more than 50,000 Google employees a few years ago concluded that cryptographically based Security Keys beat out smartphones and most other forms of two-factor verification.

U2F, in turn, gave way to WebAuthn. The new standard still allows cryptographic keys that connect by USB or NFC. It also allows users to provide an additional factor of authentication using fingerprint readers or facial scanners built into smartphones, laptops, and other types of hardware the user already own.

A plethora of app, OS, and site developers soon built WebAuthn into their authentication flows. The result: even when a password was exposed through user error or a database breach, accounts remained protected unless a hacker with the password passed the very high bar of also obtaining the key, fingerprint, or facial scan.

As Google, Microsoft, key maker Yubico, and other WebAuthn partners threw their support behind the new protocol, Apple remained firmly on the sidelines. The lack of support in macOS wasn’t ideal, but third-party support from the Chrome and Firefox browsers still gave users an easy way to use security keys. Apple’s inaction was much more problematic for iPhone and iPad users. Not only did the company provide no native support for the standard, it was also slow to allow access to near-field communication, a wireless communication channel that makes it easy for security keys to communicate with iPhones.

Poor usability and questionable security

Initially, the only way iPhones and iPads could use WebAuthn was with a Bluetooth-enabled dongle like Google’s Titan security key. It worked—technically—but it came with deal-breaking limitations. For one, it worked solely with Google properties. So much for a ubiquitous standard. Another dealbreaker—for most people, anyway—the installation of a special app and the process of pairing the keys to an iPhone or iPad was cumbersome at best.

Then in May, Google disclosed a vulnerability in the Bluetooth Titan. That vulnerability made  it possible for nearby hackers to obtain the authentication signal as it was transmitted to an iPhone or other device. The resulting recall confirmed many security professional’s belief that Bluetooth lacked the security needed for MFA and other sensitive functions. The difficulty of using Bluetooth-based dongles, combined with the perception they were less secure, made them a non-starter for most users.

In September, engineers from authentication key-maker Yubikey built a developer kit that added third-party programming interfaces for WebAuthn. The effort was valiant, but it was also kludgey, so much so that the fledgling Brave browser was the only one to make use of it. Even worse, Apple’s steadfast resistance to opening up third-party access to NFC meant that the third-party support was limited to physical security keys that connected through the Lightning port or Bluetooth.

NFC connections and biometrics weren’t available. Worst of all, the support didn’t work with Google, Facebook, Twitter, and most other big sites.

Apple joins the fold

Apple’s tradition of building from the inside out—and its aversion to risky new technologies—made the company slow to adopt WebAuthn. For better or for worse, Apple has always been more insular than many of its competitors. Where most hardware makers choose USB ports, Apple developers strongly favor Lightning connectors. Apple kicked Flash to the curb while the rest of the industry still relied on it as a way of providing animation. Similarly, as the Chrome, Firefox, Opera, and Brave browsers and the Windows, Android, and Linux operating systems declared WebAuthn as the future of MFA—Apple showed no hurry to embrace the standard.

The absence of WebAuthn in iOS and ipadOS not only deprived users of the most effective form of MFA—it also held back more widespread industry adoption of the standard.

With version 13.3 for iOS and iPadOS, Apple has finally built support directly into the devices. For the time being, Safari is the only browser that makes use of the native support, but it’s only a matter of time until browser and app makers follow suit by using the updated SFSafariViewController and ASWebAuthenticationSession connectors available in iOS or iPadOS. Yubico has already begun selling keys that connect by Lightning, USB, or NFC. (Apple also added WebAuthn support to Safari 13 for Mac.)

There are still a few shortcomings to these new offerings. For now, Apple’s support doesn’t extend to FaceID or TouchID. That means users will be required to rely exclusively on a physical key as a second factor. The other drawback is that some very notable sites have yet to make their authentication systems compatible with the native support in iOS and iPadOS. iPhone and iPad users logging in to Gmail, for instance, will still have to use the kludgey Bluetooth tokens or an equally cumbersome Android MFA option, both of which rely on a third-party app to work.

Even though there are limits to the WebAuthn support introduced into iOS, iPadOS, and (to some extent) macOS, the additions represent one of the more important developments in MFA over the past few years. With iPhone and iPad largely left out over the past few years, it was hard for site and app developers to justify the cost of building WebAuthn into their authentication flow. Apple’s move not only provides important validation, it will also make it much easier and less costly for app developers who build for iPhones and iPads.

Apple’s reticence was unfortunate. WebAuthn and its U2F predecessor have emerged as one of the most promising ways to prevent account takeovers like the ones Gmail compromise that hit John Podesta and other Hillary Clinton campaign officials.

It’s also a highly effective measure against the growing menace of credential stuffing, an account takeover attack that uses data exposed in one breach to compromise new accounts that use the same password. Even when attackers obtain a target’s password, they still can’t get in unless they also obtain the target’s physical key or when biometrics are used, the target’s fingerprint, or facial image.

Ultimately, iPhone and iPad users were left with MFA options that were inferior to those available to users of competing platforms. Sure, the Sign In with Apple offered robust protection, but the sites and apps it worked with are limited. Another shortcoming: Sign In didn’t work with non-Apple products or sites such as Gmail, Facebook, and GitHub. And as already explained, WebAuthn options were either non-existent or lagged far behind what was available on other platforms.

Tuesday’s release of iOS 13.3 and iPadOS 13.3 significantly closes the gap. For the first time, the release offers native support that makes it easy for developers of browsers and other apps to bake WebAuthn authentication into their wares. The update includes a version of Safari that allows security keys that connect through NFC, or USB-C (for users of both sizes of 2018-and-later iPad Pros), and Lightning. These same connections will be possible with any app that makes use of the h SFSafariViewController and ASWebAuthenticationSession
connectors available in iOS or iPadOS.

Some limitations remain. Unlike Android and Windows devices, iPhones and iPads can’t use Face ID for authentication, and Macs can’t use Touch ID. The lack of biometrics may prevent some Apple users from opting in to WebAuthn MFA because they’re required to have an authentication device on their person any time a second factor is required.

A short-term limitation is that some websites—most notably Gmail and other Google properties—currently don’t work with Apple’s native support. It may take a while for Google engineers to merge its Bluetooth-enabled system for iPhones and iPads with the native support Apple rolled out this week. So for the time being, iPhone and iPad users are stuck with the clumsy Bluetooth dongles when using MFA to log in to Google sites.

The wait is over

Apple’s late entry to WebAuthn isn’t particularly surprising. Company designers have never been first-adopters of new technologies. Instead, they tend to spend more time than their competitors testing security and usability. And with a relatively small number of end users currently using WebAuthn, it was easy to see why Apple might have given priority to other features.

In any event, the wait over for adoption iPhone and iPad WebAuthn. For end users who have an iPhone with NFC, I recommend either Yubico’s Yubikey 5 NFC or Security Key NFC. Devices without NFC can use a YubiKey 5Ci. Besides working with iPhones or iPads, all three of these keys will work with computers by connecting their an additional USB-C or USB-A connector.

Once an iPhone, iPad, or other device that has been authenticated through WebAuthn, it rarely requires a follow-on validation. Typically, just the entering of a passcode or use of TouchID or FaceID is all it takes. But in the event a database breach or other mishap exposes your password, WebAuthn all but ensures your account will remain safe.