The WebAuthn WG has published a Candidate Recommendation Snapshot of Web Authentication Level 2. This specification, with updates to improve usability and support, will supersede the Level 1 Recommendation.
WebAuthn at TPAC 2020
W3C will hold TPAC 2020 as a series of virtual meetings.
WebAuthn will meet on:
Please register to attend.
WebAuthn Adoption Community Group
A WebAuthn Adoption Community Group has formed to coordinate research and actions to help with broader adoption of the Web Authentication ecosystem.
WG Face-to-Face: 26 February
WebAuthn will hold a F2F meeting Wednesday February 26th from 10:30 AM to 5:00PM (Pacific), in San Francisco, California, hosted by Cisco/Duo (details).
An agenda will be posted before the meeting.
Please confirm your attendance via email to Nick Steele.
Meeting Minutes, 2020
2020 WebAuthn WG meeting minutes. The group currently meets weekly on Wednesdays.
- 8 January
- 15 January
- 22 January
- 29 January
- No meeting 5 or 12 February
- 19 February
- 26 February F2F
- 11 March
- 18 March
- 25 March
- 1 April
- 8 April
- 15 April
- 22 April
- 29 April
- 6 May
- 13 May
- 13 May
- 20 May
- 27 May
- 3 June
- 10 June
- 17 June
- 24 June
- 1 July
- 8 July
- 15 July
- 22 July
- 5 August
- 12 August
- 19 August
- 26 August
- 2 September
- 9 September
- 16 September
- 23 September
- 30 September
- 7 October
- 14 October
- 21 October
- 28 October
- 4 November
- 11 November
- 18 November
- 2 December
- 9 December
- 16 December
- End of Year: meetings will resume in 2021
Web Authentication Level 1 is a W3C Recommendation
The Web Authentication Working Group published Web Authentication: An API for accessing Public Key Credentials Level 1 (WebAuthn) as a W3C Recommendation on March 4, 2019. This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. As a core component of the FIDO Alliance’s FIDO2 set of specifications, WebAuthn is a browser/platform standard for simpler and stronger authentication. It is already supported in Windows 10, Android, and Chrome, Firefox, Edge and Safari Web browsers. Please read more in our Press Release.
Level 2 kickoff meeting: March 7th, San Francisco
The working group will have a face-to-face meeting to kick off work on the level 2 specification on March 7th 2019 at Google’s offices at 345 Spear Street, San Francisco, 10:00 – 17:00. This is the week of the RSA conference.
Meeting Minutes, 2019
2019 WebAuthn WG meeting minutes. The group currently meets weekly on Wednesdays.
- 9 January
- 16 January
- 23 January
- No meeting 30 January (FIDO plenary).
- 6 February
- 13 February
- 20 February
- 27 February
- F2F, 7 March
- 13 March
- 20 March
- 3 April
- 17 April
- 24 April
- 1 May
- 8 May
- 15 May
- 29 May
- 5 June
- 12 June
- 19 June
- 26 June
- No meeting 3 July
- 10 July
- 17 July
- 31 July
- 7 August
- 14 August
- 21 August
- 28 August
- 04 September
- 11 September
- TPAC F2F, 20 September
- 02 October
- 09 October
- 16 October
- 30 October
- 6 November
- 27 November
- 4 December
- 11 December
Candidate Recommendation (CR) for Web Authentication Specification
The W3C Web Authentication working group is pleased to announce that the Web Authentication specification (WebAuthn) has attained Candidate Recommendation (CR) maturity level. This is a major step towards enabling practical, strong, privacy–preserving authentication on the Web. Web Authentication is a challenge-response protocol employing strongly secure public key cryptography, with per-website key pairs, rather than the simple presentation of phishable, possibly re-used, passwords.
This version is informed by several rounds of interoperability testing among multiple browser and authenticator vendors. Members of the working group have closely coordinated with the FIDO Alliance to ensure that FIDO2 Client To Authenticator Protocol (CTAP) implementations will work well with WebAuthn. We have also closely coordinated with the W3C Credential Management API work.
The abstract of the specification is:
This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given Relying Party, are created and stored on an authenticator by the user agent in conjunction with the web application. The user agent mediates access to public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to relying parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.
Public implementations in Firefox and Chrome
Chrome and Firefox now have public client-side implementations of the Web Authentication API (Working Draft version 7).
Firefox’s implementation is in Firefox Nightly. It is scheduled to migrate to the Firefox Beta and Developer editions in March and to the release edition in May.
Chrome’s implementation is hidden behind a flag in Chrome 65.
J.C. Jones has a blog post with pointers to some some server-side code for testing.