There are many sites which have already implemented FIDO for users using physical tokens. Will Safari users be able to access those sites using the secure enclave instead of a separate token? The cost of those tokens has been a barrier to adoption.
FIDO compatibility?
I believe so. However, Face ID and Touch ID requires .create() and .get() to be called within user activated events which is not the case for external security keys. Therefore, sites will need to adopt this change.
FIDO is accessible on the web from modern Web Authentication API or on some browsers using the older U2F JavaScript API. I cannot speak for Apple, but the intention of WebAuthn is that the same API can be used for both an external security key and the local platform authentication capabilities.
The catches for supporting the Apple platform authenticators will likely be:
The catches for supporting the Apple platform authenticators will likely be:
A site needs to ask for authentication from a user activated event. A site cannot request platform authentication merely from a user loading a page, as the request for authentication will obscure information on the site the user would make to decide whether they want to authenticate or cancel out. Also, repeated attempts to authenticate a user is an abusive user experience.
If your site filters which authenticators are usable via attestation, it will need to add support for apple devices. This may include needing to evaluate a new attestation data format - I haven't seen anything from Apple yet on what they are doing here outside the video, which says that this is not yet available in the first betas
Like with security keys, only the Web Authentication API is supported. U2F is not available on Safari, although I believe site migration from U2F to WebAuthn is supported as described in the WebAuthn spec.