[theboat]

If the web migrates to biometric sensors for authentication, I hope this won't suffer from vendor lock-in. When every new device ships with facial recognition and/or a fingerprint reader, it will be nice to login using my face/fingerprint irrespective of the device I'm on.

[acdha]

This isn't biometric authentication: it's WebAuthn, which is a public-key based system implemented by all major browsers (https://webauthn.io/). This particular implementation uses biometrics to unlock it but other implementations use a contact sensor (Yubikeys) or PIN, and the target website doesn't need to know anything about which particular mechanism was used to unlock the keystore.

[munchbunny]

This looks like a WebAuthn implementation, in which case it's an established standard and lots of vendors have interchangeable implementations. For example, Windows Hello has been WebAuthn compatible (FIDO2) for a while for sites configured to accept on-device authenticators.

[chrismorgan]

This is an implementation of the Web Authentication API, and is exposed as a platform authenticator. There is no vendor lock-in.

[Spivak]

I don't see how this could ever be something not vendor-specific because without this being tied to "Log in with Apple" you're just saying "trust the client."

Maybe that's fine if all you want is to "lock" a sensitive page to people who aren't the device owner but that's pretty limited compared to FaceID to actually log in.

[tialaramex]

It has no relationship to "Log in with Apple". It's a WebAuthn authenticator.

Almost all web sites should just implement WebAuthn. On a suitable iPhone or Mac users will be able to sign in by touching the sensor or looking at the camera, while on my Pixel phone I touch the fingerprint sensor, on this Linux desktop I touch a Yubico Security Key.

If your site is paranoid that some crazy user will choose a bad WebAuthn authenticator, or deliberately sabotage their own security for some reason, then you can use WebAuthn Attestation to obtain a signed document from the authenticator (yes, over the Web) which proves that it is, for example, an Apple iPhone 25 Super Mega Plus. I don't think you should bother doing that, but you can.

[cgb223]

We’d need to have a standard HTML element like <facial-rec> or something and let the browser handle mapping it to whatever specific hardware the device is using

[rovr138]

The issue is that it's just a token that would simply say Passed/Fail. So it's trusting the client/browser.

[duskwuff]

It's more than that -- from what I'm seeing, it looks like it's a cryptographic token, presumably signed by a certificate that's embedded somewhere inaccessible in the device (probably in the secure element).

[crispyporkbites]

If the token is signed you could validate it with Apple (or the vendor that implemented the face recognition on the device, eg Samsung, Nokia, pinephone etc).

You just need an open standard, you could even embed the url of the validating api in the token, so anyone could create their own Face ID provider.

[bfulgham]

That's precisely what the attestation section of the talk describes. This is all part of the WebAuthentication standard.