Meeting Minutes, 2020

2020 WebAuthn WG meeting minutes. The group currently meets weekly on Wednesdays.

Previous years’ minutes:
2019, 2018, 2017, and 2016

Web Authentication Level 1 is a W3C Recommendation

WebAuthn LogoThe Web Authentication Working Group published Web Authentication: An API for accessing Public Key Credentials Level 1 (WebAuthn) as a W3C Recommendation on March 4, 2019. This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. As a core component of the FIDO Alliance’s FIDO2 set of specifications, WebAuthn is a browser/platform standard for simpler and stronger authentication. It is already supported in Windows 10, Android, and Chrome, Firefox, Edge and Safari Web browsers. Please read more in our Press Release.

Meeting Minutes, 2019

2019 WebAuthn WG meeting minutes. The group currently meets weekly on Wednesdays.

Previous years’ minutes:
2018, 2017, and 2016

Candidate Recommendation (CR) for Web Authentication Specification

The W3C Web Authentication working group is pleased to announce that the Web Authentication specification (WebAuthn) has attained Candidate Recommendation (CR) maturity level. This is a major step towards enabling practical, strong, privacy–preserving authentication on the Web. Web Authentication is a challenge-response protocol employing strongly secure public key cryptography, with per-website key pairs, rather than the simple presentation of phishable, possibly re-used, passwords.

This version is informed by several rounds of interoperability testing among multiple browser and authenticator vendors. Members of the working group have closely coordinated with the FIDO Alliance to ensure that FIDO2 Client To Authenticator Protocol (CTAP) implementations will work well with WebAuthn. We have also closely coordinated with the W3C Credential Management API work.

The abstract of the specification is:

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given Relying Party, are created and stored on an authenticator by the user agent in conjunction with the web application. The user agent mediates access to public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to relying parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.

Public implementations in Firefox and Chrome

Chrome and Firefox now have public client-side implementations of the Web Authentication API (Working Draft version 7).

Firefox’s implementation is in Firefox Nightly. It is scheduled to migrate to the Firefox Beta and Developer editions in March and to the release edition in May.

Chrome’s implementation is hidden behind a flag in Chrome 65.

J.C. Jones has a blog post with pointers to some some server-side code for testing.