NEW217929
Feature Request: Ability to store secrets protected by Face ID and Touch ID 
https://bugs.webkit.org/show_bug.cgi?id=217929
Summary Feature Request: Ability to store secrets protected by Face ID and Touch ID
Rob
Reported 2020-10-19 16:30:58 PDT
This article sparked some chatter here at 1Password: https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/. I've been anticipating this capability for a while and am excited it's here. I'd love to see the WebKit team take biometry one step further. At 1Password, "signing in" is not just authentication. We need to derive an encryption key to decrypt your secrets. In the native apps, we've been able to unlock using just Face ID or Touch ID because of the access to the device's keychain. But at this point, Face ID and Touch ID on the web are restricted to authentication only, WebAuthn specifically. We'd be very interested in seeing a biometry API that afforded decryption capabilities. A basic implementation might be something like a domain-scoped keychain where a secret could be stored and retrieved. Or perhaps just an API that would allow encrypting and decrypting, and the data could be stored in local storage or on a server.
Attachments
Add attachment proposed patch, testcase, etc.
Smoley
Comment 1 2020-10-22 14:15:53 PDT
Thanks for filing, CCing some more folks here for consideration.
Radar WebKit Bug Importer
Comment 2 2020-10-22 14:16:05 PDT
<rdar://problem/70588887>
login Llama
Comment 3 2021-03-03 10:08:31 PST
CTAP2.1/ WebAuthn level 2 adds an extension that allows storing a 256bit key with discoverable credentials. CTAP2.1 security keys are just coming out. At some point the platform authenticator in OSX and iOS could support the new feature.
Note You need to log in before you can comment on or make changes to this bug.