Apple allows Touch ID and Face ID to be used in lieu of a password to access sensitive apps like those for banking or password management, and in the future, Face ID and Touch ID will also be able to be used for authentication purposes when logging into a website.
Apple outlines the feature in a WWDC20 engineering session called “Meet Face ID and Touch ID for the web,” which covers how web developers can use Face ID and Touch ID on their websites with the Web Authentication API.
An initial login on a website that supports the feature will require a username, passcode, and two-factor authentication code to be entered, but after that, Face ID or Touch ID can handle the login process. Signing in this way will require users to click on the sign in button, after which Safari will ask for confirmation. With the confirmation, a Face ID (or Touch ID) scan is done, and the user is able to log in.
Apple says Face ID and Touch ID authentication is beneficial because it’s frictionless, simple, and secure. The online session described it as “phishing resistant.”
But more importantly, it is Phishing-resistant. Safari will only allow public credentials created by this API to be used within the Web site they were created, and the credential can never be exported out from the authenticater they were created in as well. This means that once a public credential has been provisioned, there is no way for a user to accidentally divulge it to another party. Cool right?! This is the overview of the Web Authentication standard.
Apple has been testing similar website sign-ins with Touch ID and Face ID using iCloud since July 2019. When you visit iCloud on the web on an iPhone or iPad, you can sign right in with a Face ID scan without the need to enter a password.
Additional detail about the feature, including instructions on how web developers can enable it, can be found in the full video along with the accompanying resources.