Safari 16 arrives with support for password replacement passkeys

Safari 16 arrives with support for password replacement passkeys

Apple has released Safari 16 as part of iOS 16, and also delivered as an update for macOS Monterey and Big Sur. Headline new features include Passkeys, which replace passwords with cryptographic key pairs, and CSS container queries, which enable layout based on the size of the current container rather than that of the entire viewport.

Passkeys, claims Apple web developer evangelist Jen Simmons, deliver a “profound increase in security.” They are based on the WebAuthn standard and each key pair is unique to the particular user and the application or web site. The client generates the keypair, the public key is stored on the server, and the private key which is stored (in the case of Apple devices) in the company’s iCloud Keychain, which is protected by two-factor authentication.

From the user’s perspective, login is typically via biometrics such as the Touch ID fingerprint sensor or Face ID. There is also an option to use hardware security devices.

Passkeys are not just for Safari: this sample iOS app also uses them

Safari dominates within the Apple ecosystem, but has a small market share overall. Is this any use to developers beyond Apple?

The Safari implementation and integration with Keychain is Apple specific, but It is based on the FIDO standard, and there is an Apple plug-in for Chrome on Windows which adds support for the Keychain support.

Developers can also offer old-style passwords as an option alongside passkeys. Passkeys are not inherently Apple-specific and in May this year Apple, Google and Microsoft made joint statements on the subject.

Yubico, which makes hardware security keys, argues that because private keys in the Passkey system are copyable, they offer only “roughly the same security as ‘sign-in with Google/Apple,’ plus an additional key sync password.” If there is wide adoption, though, it will still be a significant step up from passwords which are all too often insecurely stored or transmitted, and can be guessed or phished.

There is more in Safari 16, including AVIF image and animated image support, text-align-last CSS properties for setting different text alignment for the last line in a paragraph, CSS subgrids, a new Flexbox inspector in the developer tools, cross-tab background workers called Shared Workers, and CSS Offset Path or Motion Path animation. 

There is also Container Queries, where Safari was ahead of its rivals, but perhaps not by coincidence the feature has also just shipped in Google Chrome 105. They are not yet supported in Firefox though and despite the high usefulness of the feature, developers may want to wait for wider adoption or rely on a polyfill.