Intent to Ship: WebAuthn minPinLength extension

99 views
Skip to first unread message

Adam Langley

unread,
Nov 5, 2021, 3:55:17 PM11/5/21
to blink-dev

Contact emails

a...@chromium.org

Explainer

https://github.com/w3c/webauthn/wiki/Explainer:-minPinLength

Specification

https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-minpinlength-extension

Summary

Expose the CTAP 2.1 minPinLength extension via WebAuthn. This extension allows sites that have been preconfigured on a security key to learn the configured minimum PIN length for the authenticator. This is useful for regulatory compliance.


Blink component

Blink>WebAuthentication

TAG review

https://github.com/w3ctag/design-reviews/issues/687

TAG review status

Pending

Risks

Interoperability and Compatibility


Gecko: Neutral. Dan Veditz said on this week's WebAuthn WG call "I don't think our privacy folks would object" and said that it was ok if I quote him so long as the "I don't think" was included.

WebKit: No signal

Web developers: No public signals. (This is a very enterprise focused feature.)

Debuggability

DevTools supports the creation of virtual authenticators for debugging and testing. The virtual authenticators have support for the minPinLength extension.


Is this feature fully tested by web-platform-tests?

Yes

Requires code in //chrome?

False

Estimated milestones

M98


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5729885776510976

Links to previous Intent discussions

Intent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/t_9QdJ7hcls/m/CAAOGBIVBgAJ

John Bradley

unread,
Nov 5, 2021, 5:36:42 PM11/5/21
to blink-dev, a...@chromium.org
Yubico has both enterprise and government customers in the US and Europe that desire this feature.  We are waiting for Chrome and Windows client support, to make this practical for customers to deploy.   All of our current CTAP2.1 security keys support this extension. 

Akshay Kumar

unread,
Nov 6, 2021, 1:37:17 AM11/6/21
to blink-dev, John Bradley, a...@chromium.org, Akshay Kumar
Microsoft supports adding this extension. 

Akshay Kumar
(Microsoft)

Chris Harrelson

unread,
Nov 18, 2021, 3:14:58 PM11/18/21
to Akshay Kumar, blink-dev, John Bradley, a...@chromium.org, Akshay Kumar
Hi, could you ask for signals via http://bit.ly/blink-signals? Really sorry we sent this request so late.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c69fc8b8-9754-4564-a760-b036441bb899n%40chromium.org.

Mike West

unread,
Nov 24, 2021, 8:59:28 AM11/24/21
to Chris Harrelson, Akshay Kumar, blink-dev, John Bradley, a...@chromium.org, Akshay Kumar
LGTM1.

I agree with Chris that we should be explicitly asking for other vendors' signals here, but I think this is a reasonable addition to the WebAuthn API surface with a pretty clear enterprise use case that's a legitimate thing for the web to support. It doesn't add any identifying information to the platform by default, and information added as a result of credential creation is both user-mediated and opted-into by the authenticator's owner.

-mike


Alex Russell

unread,
Nov 24, 2021, 11:34:59 AM11/24/21
to blink-dev, Mike West, Akshay Kumar, blink-dev, John Bradley, Adam Langley, Akshay Kumar, Chris Harrelson
LGTM2

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Chris Harrelson

unread,
Nov 24, 2021, 11:35:26 AM11/24/21
to Mike West, Akshay Kumar, blink-dev, John Bradley, a...@chromium.org, Akshay Kumar
LGTM2, conditioned on sending the signals requests and posting the links here. Adam could you send those?

Chris Harrelson

unread,
Nov 24, 2021, 11:35:55 AM11/24/21
to Mike West, Akshay Kumar, blink-dev, John Bradley, a...@chromium.org, Akshay Kumar
Make mine LGTM3 :)

Adam Langley

unread,
Nov 24, 2021, 12:06:21 PM11/24/21
to Chris Harrelson, Mike West, Akshay Kumar, blink-dev, John Bradley, Akshay Kumar
On Wed, Nov 24, 2021 at 8:35 AM Chris Harrelson <chri...@chromium.org> wrote:
LGTM2, conditioned on sending the signals requests and posting the links here. Adam could you send those?

I suspect that a number of people are away currently so I was waiting to see if there were any replies, but the requests were sent last week:




Cheers

AGL
Reply all
Reply to author
Forward
0 new messages