Intent to Ship: [WebAuthn] Authenticator Attachment in Public Key Credential

277 views
Skip to first unread message

zakaria ridouh

unread,
Oct 13, 2021, 12:17:23 PM10/13/21
to blin...@chromium.org

Contact emails

rid...@google.com


Explainer

Add the authenticator attachment (platform/cross-platform) used during both registration and authentication to the public key credential payload returned from the browser to the RP/relying party (website/application etc).


This feature enables the following flow: 

If the proposed authenticator attachment field of the attestation/assertion is “cross-platform”, and isUVPAA (i.e a user-verifying platform authenticator is available, already available within Chrome) returns true, then sites should have the ability to offer to the user to register the current device's platform authenticator.


This provides a superior user experience, by removing the need for the user to authenticate using a cross platform authenticator, and instead use the built in authenticator.


-- Development Bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1243721


Specification

W3C Spec Change Merged.

https://github.com/w3c/webauthn/pull/1668


Summary

Add the authenticator attachment (platform/cross-platform) used during both registration and authentication to the public key credential payload returned from the browser to the relying party (website/application etc).


Blink component

Blink>WebAuthentication


TAG review

N/A

TAG review status

N/A


Risks

N/A


Interoperability and Compatibility

Gecko: No signal

WebKit: No signal

Web developers: No signals


Edge: Support Signals


Debuggability:

Use WebAuthn tab on Chrome Dev Tools, and based on which transport is picked, the authenticator attachment value on Public Key Credential following successful registration or authentication will be different (platform vs cross-platform).


Is this feature fully tested by web-platform-tests?

Yes. Link to WPT CL: https://chromium-review.googlesource.com/c/chromium/src/+/3198901


Flag name

#enable-web-authentication-authenticator-attachment


Requires code in //chrome?

False


Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1243721


Launch bug

N/A


Estimated milestones

No milestones specified


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5698986645127168


This intent message was generated by Chrome Platform Status.

Yoav Weiss

unread,
Oct 14, 2021, 4:49:39 AM10/14/21
to zakaria ridouh, blink-dev
On Wed, Oct 13, 2021 at 6:17 PM 'zakaria ridouh' via blink-dev <blin...@chromium.org> wrote:

Contact emails

rid...@google.com


Explainer

Add the authenticator attachment (platform/cross-platform) used during both registration and authentication to the public key credential payload returned from the browser to the RP/relying party (website/application etc).


This feature enables the following flow: 

If the proposed authenticator attachment field of the attestation/assertion is “cross-platform”, and isUVPAA (i.e a user-verifying platform authenticator is available, already available within Chrome) returns true, then sites should have the ability to offer to the user to register the current device's platform authenticator.


This provides a superior user experience, by removing the need for the user to authenticate using a cross platform authenticator, and instead use the built in authenticator.


-- Development Bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1243721


Apologies, but it's not clear to me what this does. A higher-level explainer may be helpful here.
 


Specification

W3C Spec Change Merged.

https://github.com/w3c/webauthn/pull/1668


Summary

Add the authenticator attachment (platform/cross-platform) used during both registration and authentication to the public key credential payload returned from the browser to the relying party (website/application etc).


Blink component

Blink>WebAuthentication


TAG review

N/A


Why is a TAG review not applicable? 

TAG review status

N/A


Risks

N/A


Interoperability and Compatibility

Gecko: No signal

WebKit: No signal


Could you ask for signals? https://bit.ly/blink-signals
Otherwise, we can't assess the interoperability risk of this change. (i.e. whether other browser engines are likely to follow)
 

Web developers: No signals

 
Are developers likely to adopt this? If not, why are we adding this?


Edge: Support Signals

Any links?
 


Debuggability:

Use WebAuthn tab on Chrome Dev Tools, and based on which transport is picked, the authenticator attachment value on Public Key Credential following successful registration or authentication will be different (platform vs cross-platform).


Is this feature fully tested by web-platform-tests?

Yes. Link to WPT CL: https://chromium-review.googlesource.com/c/chromium/src/+/3198901


Flag name

#enable-web-authentication-authenticator-attachment


Requires code in //chrome?

False


Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1243721


Launch bug

N/A


Estimated milestones

No milestones specified


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5698986645127168


This intent message was generated by Chrome Platform Status.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACR%2Ba_t2QFLf14CKJkG0JfefghZJ2D-ysNBf8BkTGUc%2BX_KU9A%40mail.gmail.com.

David Waite

unread,
Oct 14, 2021, 5:53:33 PM10/14/21
to blink-dev, yoav...@chromium.org, blink-dev, zakaria ridouh
Not knowing Blink's policies here, I'd like to point out that while the PR was merged, the WebAuthn WG charter that would lead to Level 3 has not yet been approved.
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

Domenic Denicola

unread,
Oct 14, 2021, 5:58:00 PM10/14/21
to David Waite, blink-dev, yoav...@chromium.org, zakaria ridouh
On Thu, Oct 14, 2021 at 5:53 PM 'David Waite' via blink-dev <blin...@chromium.org> wrote:
Not knowing Blink's policies here, I'd like to point out that while the PR was merged, the WebAuthn WG charter that would lead to Level 3 has not yet been approved.

You can learn more about Blink's policies here on this page; the section titled "Specifications" is probably the most relevant.
 

Adam Langley

unread,
Oct 15, 2021, 3:15:34 PM10/15/21
to blink-dev, yoav...@chromium.org, blink-dev, zakaria ridouh
On Thursday, October 14, 2021 at 1:49:39 AM UTC-7 yoav...@chromium.org wrote:
Apologies, but it's not clear to me what this does. A higher-level explainer may be helpful here.

When returning a WebAuthn assertion, browsers will say whether the assertion came from a removable device or not. I.e. if you touch a security key it'll say "cross-platform", but if you use Touch ID / Windows Hello it'll say "platform".

Sites could already figure this out because they learn the supported transports of an authenticator during registration and removable devices offer things like "usb" or "ble", while the platform authenticators (Touch ID / Hello) say "internal". But we want to make this simpler for sites so that they have a clear signal when offering to register the platform as an authenticator might be useful.

The vision is that, when phones are fully usable as security keys, users will be able to sign into sites on a desktop browser with them. But that site might want to know that a "removable" device was used (e.g. a phone) because registering the platform authenticator for future sign-ins is probably a better experience.


TAG review

N/A


Why is a TAG review not applicable? 

Seems like a very minor change and TAG is a very heavy process.
 

Web developers: No signals

 
Are developers likely to adopt this? If not, why are we adding this?

Other parts of an ecosystem need to slot into place in order for everything to hang together: phones as security keys, syncing credentials, conditional UI, etc. So developers are probably uninterested in this part in isolation, but all together there's a fair amount of interest. GitHub, at least, are public about WebAuthn L2 being insufficient without several of changes in this set: 1 2 3.
 


Edge: Support Signals

Any links?

Microsoft supporting here. (See "Assertion Transports" section; WG discussion changed "transports" to "attachment", which is what this thread is talking about.)


Cheers

AGL

Alex Russell

unread,
Oct 21, 2021, 3:23:45 PM10/21/21
to blink-dev, Adam Langley, Yoav Weiss, blink-dev, zakaria ridouh
Thanks for explaining, Adam.

I'm LGTM1 contingent on:
  • An explainer being produced with at least the content of Adam's last post being included.
  • An FYI being sent to the TAG w/ that Explainer attached. We don't have a policy that allows folks to arbitrarily decide not to send things to them w/o justification.
Thanks

Mike West

unread,
Oct 28, 2021, 2:28:30 PM10/28/21
to Alex Russell, blink-dev, Adam Langley, Yoav Weiss, zakaria ridouh
LGTM2 with similar caveats to Alex's comments above. I realize that this is a small change, but I hope that also means that the work required to produce a clear explanation of the change is minimal. Alternatively, it might be helpful to produce an explainer walking through the overarching story around phones as authenticators, with this as a small piece of that bigger picture. That might be more valuable, both for you and for the TAG.

-mike


--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/dd8302d9-709c-4d5a-9d14-b33da77039f8n%40chromium.org.

Yoav Weiss

unread,
Oct 28, 2021, 2:28:32 PM10/28/21
to blink-dev, Alex Russell, Adam Langley, Yoav Weiss, blink-dev, zakaria ridouh
LGTM2 with similar conditions.

Yoav Weiss

unread,
Oct 28, 2021, 3:20:05 PM10/28/21
to blink-dev, Yoav Weiss, Alex Russell, Adam Langley, blink-dev, zakaria ridouh
LGTM3 even

Adam Langley

unread,
Nov 1, 2021, 7:37:57 PM11/1/21
to blink-dev, Alex Russell, Adam Langley, Yoav Weiss, blink-dev, zakaria ridouh
On Thursday, October 21, 2021 at 12:23:45 PM UTC-7 Alex Russell wrote:
Thanks for explaining, Adam.

I'm LGTM1 contingent on:
  • An explainer being produced with at least the content of Adam's last post being included.
  • An FYI being sent to the TAG w/ that Explainer attached. We don't have a policy that allows folks to arbitrarily decide not to send things to them w/o justification.
Thanks. We decided to send TAG a request to review the whole thing because sooner is probably best and it only really makes sense as a whole. This change is included in that under the title "Assertion attachment".


Cheers

AGL
Reply all
Reply to author
Forward
0 new messages