With the release of iOS 13.3 and iPadOS 13.3 in December, Apple finally opened up NFC access on the iPhone and iPad to security keys (and other additional NFC uses beyond the limited ones that were permitted before).
So, what does this mean for iPhone users? And does it mean my hard work was wasted back in July writing about FIDO on Apple devices?
Apple allows security keys access to NFC
In November, the iOS 13.3 beta showed upcoming support for NFC, USB, and Lightning security keys in Safari. Apple hasn’t been the most willing to allow third parties access to NFC before now, something Android has long since enabled—which I tested out in my original YubiKey security key article.
Apple has slowly been loosening their grip on NFC, allowing it to be used beyond just the proprietary Apple Pay. With iOS 11, they added the NFC SDK for iOS, which allowed iPhones to read NFC Data Exchange Format (NDEF) tags—but this is limited to iPhone 7 and newer.
With iOS 13.3, NFC usage has expanded further to include the functionality to use security keys, alongside Lightning and USB. The feature is accessible to both web apps and mobile apps; the latter has to call SFSafariViewController and ASWebAuthenticationSession.
As with most things Apple, it's not perfect. Yubico told me that since Apple hasn’t yet implemented support for PIN login, WebAuthn in Safari only works as the second factor alongside password/username. They also recently updated the Yubico Authenticator, which allows for time-based one-time passwords (TOTP).
Many of the biggest apps work with security keys, like FB, Google, etc., but many still don’t – it’s in the hands of app developers now since all browsers and OSes now support FIDO/WebAuthn natively
It took a while, but we finally have native support for security keys on Apple products. First, Safari 13 for Mac added WebAuthn support in September, and now with iOS 13.3, NFC works for iPhone and iPad users. It’s up to developers to enable this functionality within their apps, whether by using something like the Yubico Mobile SDK or iOS APIs.
Additionally, one thing we want to see for the iPhone is to have Touch ID and Face ID become FIDO certified much like Android 7+ has by allowing their software to serve as a digital version of their Titan security key.
While everyone is focused on the acceptance of security keys through NFC now, there’s more to it than that. At WWDC19, Apple talked about how they would support a few different technologies that make use of NFC, such as MIFARE (not including MIFARE Classic) tags. With MIFARE, NFC use in iOS 13.3 enables a wide possibilities of use cases, including the ability to open hotel rooms and offices, use with public transport, and even use your iPhone to hold your passport digitally. There was some limited availability of some of these use cases already. For instance, NYC subway riders with iOS 12.3 and WatchOS 5.2.1 have been able to swipe in using Apple Pay since early summer (single-use riders only at the moment).