Apple allows you to use Touch ID and Face ID in place of a password to log in to apps that contain sensitive information, such as banking, messaging, and password management apps. Now, Face ID and Touch ID can also be used to authenticate when we log into a web page.
Apple explains how it works in a WWDC20 session called “Meet Face ID and Touch ID for the Web,” which shows how web developers can use Face ID and Touch ID on their web pages with the new Web Authentication API.
Authenticating on a web page that supports this feature will require you to enter your username, password, and two-factor authentication, but after that first step, Face ID or IDTouch ID will be able to handle the login process. In this way it will be necessary for users to click on the Login button, then Safari will ask for confirmation and at the time of authorization Face ID (or Touch ID if) will be activated by starting the session.
Apple says that authentication via Face ID and Touch ID is an improvement because it is easy, simple and secure. The session in which he was presented describes it as "proof of phishing".
More importantly, it is phishing-proof. Safari will only allow public credentials created by this API to be used within the web page they were created on, and that credential can never be exported outside of the authenticator who created it. This means that once the public credential has been created, there is no way for a user to accidentally share it with other parties.
More details on this feature, including instructions on how developers can activate it, can be found in the video along with the other accompanying resources.
