|
|
|
|
|
|
by Spivak
2188 days ago
|
|
|
I don't see how this could ever be something not vendor-specific because without this being tied to "Log in with Apple" you're just saying "trust the client." Maybe that's fine if all you want is to "lock" a sensitive page to people who aren't the device owner but that's pretty limited compared to FaceID to actually log in. |
|
|
Almost all web sites should just implement WebAuthn. On a suitable iPhone or Mac users will be able to sign in by touching the sensor or looking at the camera, while on my Pixel phone I touch the fingerprint sensor, on this Linux desktop I touch a Yubico Security Key.
If your site is paranoid that some crazy user will choose a bad WebAuthn authenticator, or deliberately sabotage their own security for some reason, then you can use WebAuthn Attestation to obtain a signed document from the authenticator (yes, over the Web) which proves that it is, for example, an Apple iPhone 25 Super Mega Plus. I don't think you should bother doing that, but you can.