The company on Wednesday released Safari Technology Preview version 71 with support for the Web Authentication (WebAuthn) technology, which lets websites authenticate your identity when you insert a hardware security key into your computer’s USB port. Those security keys are typically paired with another authentication factor, most often a password, but they can work with biometric factors like fingerprints and with time-based codes from mobile apps like Authy.
Mozilla was first to support WebAuthn with its Firefox browser, but Google followed shortly after and Microsoft Edge also signed on — a big deal for Microsoft since it currently requires Edge for no-password sign-on to websites like Office 365 and Outlook. Other websites supporting hardware security keys include Google sites, Facebook, Twitter and Dropbox.
Passwords have been used for decades to protect our access to sensitive sites, but on their own, they’ve shown profound weaknesses. People reuse the same password for different sites so one stolen password can have broad consequences. People often pick passwords that can be guessed or cracked with dictionary terms, and when required to change passwords often only make minor changes. And data breaches today affect millions of us.
Hardware security keys, part of a broader push toward multifactor authentication, change all that dramatically. Key-boosted sign-on means a stolen password on its own no longer is enough to gain unauthorized access to your accounts. Google credits hardware keys for neutralizing phishing attacks to protect tens of thousands of its own employees.
But don’t lose your USB security key
But hardware keys have issues, too. For one thing, you’d better not lose it — though that applies to other technologies like authentication apps on your phone, too.
For another, supporting all the devices you might need can require a mess of different keys or dongles. There are different keys for old-style USB-A and newer USB-C ports and for Lightning ports on iPhones and iPads.
Through a technology called FIDO2, a close cousin of WebAuthn, hardware security keys also can use Bluetooth and near-field communications (NFC) for hardware key authentication. So far, though, Safari only supports direct USB hardware keys.
Yubico, one of the main manufacturers of hardware keys, doesn’t currently support Bluetooth because for security and practical reasons: Bluetooth can work over relatively long distances and requires batteries it doesn’t want in its keys.
Safari Technology Preview is a test version that offers a peek of coming attractions for Apple’s web browser, though there’s no guarantee features in it will in fact arrive in the main version.
The new version also adds experimental support for a dark mode web developers can embrace if they want their websites to match the increasingly popular option for light text on dark backgrounds.
CNET’s Holiday Gift Guide: The place to find the best tech gifts for 2018.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.