Intent to Implement: Web Authentication API for Chrome

2,770 views
Skip to first unread message

Kim

unread,
Nov 11, 2016, 4:18:17 PM11/11/16
to blink-dev

Contact emails

kpaul...@chromium.org, acze...@chromium.org, juan...@chromium.org, pip...@chromium.org


Spec

Editor's draft


Summary

An API to allow the creation and use of strong, attested, cryptographic scoped credentials by web applications, for the purpose of strongly authenticating users.


Motivation

The Web Authentication API is a new web standard that subsumes FIDO U2F and provides additional non-phishable authentication capabilities. The initial implementation of the spec will allow migration of current U2F API callers from the existing Chrome component extension -- allowing Chrome to eventually deprecate the extension. This implementation would also serve as one of the 2 implementations needed for standards viability.


Some platforms may provide partial implementations of the Web Authentication specification (e.g., for communicating with Authenticators) -- in such cases Chrome will try to use these APIs.


Interoperability and Compatibility Risk

Firefox: In development

Edge: In development

Safari: No public signals

Web developers: No public signals


Low. We don’t intend to ship until we demonstrate interoperability with Firefox for a standardized version of the spec.


Ongoing technical constraints

None.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

This feature will be supported on all platforms except for Android WebView.


OWP launch tracking bug


Link to entry on the feature dashboard


Requesting approval to ship?

No.


Rick Byers

unread,
Nov 12, 2016, 2:24:59 PM11/12/16
to Kim, Sabine Borsay, blink-dev
I'm excited to see this work happening!  Reducing the dependence on passwords for security on the web is critical to the platform's health!

I talked with Sabine (web platform security team PM) about this a bit at Chrome Dev summit, and it sounds like her team is also involved and available to provide any help or guidance you need getting this into blink.

On Fri, Nov 11, 2016 at 1:18 PM, Kim <kpaul...@chromium.org> wrote:

Contact emails

kpaul...@chromium.org, acze...@chromium.org, juan...@chromium.org, pip...@chromium.org


Spec

Editor's draft


Summary

An API to allow the creation and use of strong, attested, cryptographic scoped credentials by web applications, for the purpose of strongly authenticating users.


Motivation

The Web Authentication API is a new web standard that subsumes FIDO U2F and provides additional non-phishable authentication capabilities. The initial implementation of the spec will allow migration of current U2F API callers from the existing Chrome component extension -- allowing Chrome to eventually deprecate the extension. This implementation would also serve as one of the 2 implementations needed for standards viability.


Some platforms may provide partial implementations of the Web Authentication specification (e.g., for communicating with Authenticators) -- in such cases Chrome will try to use these APIs.


Interoperability and Compatibility Risk

Firefox: In development

Edge: In development


According to their status page, and this blog post Edge has been shipping a prefixed version (limited to Windows Hello) for awhile.  Hopefully we can work closely with the Edge team (as we have been elsewhere) to get some version (or subset) of the API we can both ship unprefixed ASAP!

Jochen Eisinger

unread,
Nov 12, 2016, 2:27:59 PM11/12/16
to Rick Byers, Kim, Sabine Borsay, blink-dev
It's not entirely clear to me what lead to the decision to add a new API for this as opposed to iterating on the credential management API. I wonder whether it was possible to unify the two?

Rick Byers

unread,
Nov 12, 2016, 2:48:15 PM11/12/16
to Jochen Eisinger, Kim, Sabine Borsay, blink-dev
Looks like there's some TAG feedback and limited discussion here but very little details (just "no longer makes sense").  Perhaps you want comment on it (or file a new) new spec issue asking for details?

Kimberly Paulhamus

unread,
Nov 14, 2016, 1:54:30 PM11/14/16
to Rick Byers, Jochen Eisinger, Kim, Sabine Borsay, blink-dev
AFAIK, the webauthn spec editors have spoken with Mike West, the credential management API editor. They'd be the best points of contact to comment on that. I see you already asked a question on the webauthn issue, so I'll leave it to them to comment there.

--
You received this message because you are subscribed to a topic in the Google Groups "blink-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/blink-dev/qCJhuuZH5p0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to blink-dev+...@chromium.org.

Jochen Eisinger

unread,
Nov 28, 2016, 10:15:17 AM11/28/16
to Kimberly Paulhamus, Rick Byers, Kim, Sabine Borsay, blink-dev
any update on this? I talked with Mike and he was positive that it would make sense to iterate on credential management as opposed to adding a new API

Colin Blundell

unread,
Jan 19, 2017, 5:12:29 AM1/19/17
to Jochen Eisinger, Kimberly Paulhamus, Rick Byers, Kim, Sabine Borsay, blink-dev
I'm curious as to whether there's an update here. I looked through the GitHub issue but wasn't able to find the question that Jochen asked there.

domsch...@gmail.com

unread,
Jun 16, 2020, 11:53:55 AM6/16/20
to blink-dev
I know this is an old thread, but if anyone is still searching for a way to support WebAuthn in Android's WebView:
We implemented support in our SDK: https://hwsecurity.dev/guide/fido-webview/

Don't hesitate to contact us.

TheAkashicTraveller

unread,
Apr 5, 2021, 1:26:15 PM4/5/21
to blink-dev, kpaul...@chromium.org
" This feature will be supported on all platforms except for Android WebView. "
Why not? You'd think with google working on this from the start they'd be pushing to actualy get it properly supported and convinient to use.
Reply all
Reply to author
Forward
0 new messages