Intent to Ship: WebAuthn minPinLength extension

209 views
Skip to first unread message

Adam Langley

unread,
Nov 5, 2021, 3:55:17 PM11/5/21
to blink-dev

Contact emails

a...@chromium.org

Explainer

https://github.com/w3c/webauthn/wiki/Explainer:-minPinLength

Specification

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-minpinlength-extension

Summary

Expose the CTAP 2.1 minPinLength extension via WebAuthn. This extension allows sites that have been preconfigured on a security key to learn the configured minimum PIN length for the authenticator. This is useful for regulatory compliance.


Blink component

Blink>WebAuthentication

TAG review

https://github.com/w3ctag/design-reviews/issues/687

TAG review status

Pending

Risks

Interoperability and Compatibility


Gecko: Neutral. Dan Veditz said on this week's WebAuthn WG call "I don't think our privacy folks would object" and said that it was ok if I quote him so long as the "I don't think" was included.

WebKit: No signal

Web developers: No public signals. (This is a very enterprise focused feature.)

Debuggability

DevTools supports the creation of virtual authenticators for debugging and testing. The virtual authenticators have support for the minPinLength extension.


Is this feature fully tested by web-platform-tests?

Yes

Requires code in //chrome?

False

Estimated milestones

M98


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5729885776510976

Links to previous Intent discussions

Intent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/t_9QdJ7hcls/m/CAAOGBIVBgAJ

John Bradley

unread,
Nov 5, 2021, 5:36:42 PM11/5/21
to blink-dev, a...@chromium.org
Yubico has both enterprise and government customers in the US and Europe that desire this feature.  We are waiting for Chrome and Windows client support, to make this practical for customers to deploy.   All of our current CTAP2.1 security keys support this extension. 

Akshay Kumar

unread,
Nov 6, 2021, 1:37:17 AM11/6/21
to blink-dev, John Bradley, a...@chromium.org, Akshay Kumar
Microsoft supports adding this extension. 

Akshay Kumar
(Microsoft)

Chris Harrelson

unread,
Nov 18, 2021, 3:14:58 PM11/18/21
to Akshay Kumar, blink-dev, John Bradley, a...@chromium.org, Akshay Kumar
Hi, could you ask for signals via http://bit.ly/blink-signals? Really sorry we sent this request so late.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c69fc8b8-9754-4564-a760-b036441bb899n%40chromium.org.

Mike West

unread,
Nov 24, 2021, 8:59:28 AM11/24/21
to Chris Harrelson, Akshay Kumar, blink-dev, John Bradley, a...@chromium.org, Akshay Kumar
LGTM1.

I agree with Chris that we should be explicitly asking for other vendors' signals here, but I think this is a reasonable addition to the WebAuthn API surface with a pretty clear enterprise use case that's a legitimate thing for the web to support. It doesn't add any identifying information to the platform by default, and information added as a result of credential creation is both user-mediated and opted-into by the authenticator's owner.

-mike


Alex Russell

unread,
Nov 24, 2021, 11:34:59 AM11/24/21
to blink-dev, Mike West, Akshay Kumar, blink-dev, John Bradley, Adam Langley, Akshay Kumar, Chris Harrelson
LGTM2

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Chris Harrelson

unread,
Nov 24, 2021, 11:35:26 AM11/24/21
to Mike West, Akshay Kumar, blink-dev, John Bradley, a...@chromium.org, Akshay Kumar
LGTM2, conditioned on sending the signals requests and posting the links here. Adam could you send those?

Chris Harrelson

unread,
Nov 24, 2021, 11:35:55 AM11/24/21
to Mike West, Akshay Kumar, blink-dev, John Bradley, a...@chromium.org, Akshay Kumar
Make mine LGTM3 :)

Adam Langley

unread,
Nov 24, 2021, 12:06:21 PM11/24/21
to Chris Harrelson, Mike West, Akshay Kumar, blink-dev, John Bradley, Akshay Kumar
On Wed, Nov 24, 2021 at 8:35 AM Chris Harrelson <chri...@chromium.org> wrote:
LGTM2, conditioned on sending the signals requests and posting the links here. Adam could you send those?

I suspect that a number of people are away currently so I was waiting to see if there were any replies, but the requests were sent last week:




Cheers

AGL

John Bradley

unread,
Oct 11, 2022, 9:51:47 PM10/11/22
to blink-dev, a...@chromium.org, mk...@chromium.org, Akshay Kumar, blink-dev, John Bradley, Akshay Kumar, Chris Harrelson
This seems to still be waiting for implementation.  

Is something holding it up?

Now that Windows 11 22H2 has been released with CTAP2.1 support we are getting complaints that it is not working.

Any ETA on passing the extension?

John B.

Adam Langley

unread,
Oct 12, 2022, 12:59:13 PM10/12/22
to John Bradley, blink-dev, mk...@chromium.org, Akshay Kumar, Akshay Kumar, Chris Harrelson
On Tue, Oct 11, 2022 at 6:51 PM John Bradley <jbra...@yubico.com> wrote:
This seems to still be waiting for implementation.  

Is something holding it up?

Now that Windows 11 22H2 has been released with CTAP2.1 support we are getting complaints that it is not working.

Any ETA on passing the extension?

The extension is getting passed to Windows and functioned on a 22H2 pre-release. I'll look and see if something became misaligned on the path to 22H2-actual since our unittests are not able to exercise these OS interfaces fully.


Cheers

AGL 
Reply all
Reply to author
Forward
0 new messages