Intent to Prototype: WebAuthentication API: ResidentKeyRequirement and credProps extension

52 views
Skip to first unread message

Martin Kreichgauer

unread,
Aug 19, 2020, 3:40:02 PM8/19/20
to blin...@chromium.org

Contact emails

mart...@google.com

Explainer

https://github.com/w3c/webauthn/issues/991

Specification

https://w3c.github.io/webauthn/#dom-authenticatorselectioncriteria-residentkey

Design docs

https://github.com/w3c/webauthn/pull/1191

TAG review

N/A (minor API change)

Summary

Adds support for the AuthenticatorSelectionCriteria.residentKey property to specify during Web Authentication API (WebAuthn) credential registration whether a client-side discoverable credential should be created. Also adds support for the WebAuthn "credProps" extension, which indicates to the Relying Party whether a created credential is client-side discoverable.

Motivation

"Client-side discoverable credentials" are a type of WebAuthn credential that can be challenged by a Relying Party (RP) without needing to provide the credential ID in the WebAuthn API request. Browsers display a list of all discoverable credentials from a given authenticator (external security key or built-in) and let the user choose one to sign in with. Chrome already supports registration of client-side discoverable WebAuthn credentials via the boolean AuthenticatorSelection.requireResidentKey property. The WebAuthn Level 2 spec adds an alternative, enum-valued residentKey property. Two values of that enum, "discouraged" and "required", correspond exactly to the boolean values of requireResidentKey. The third, middle value ("preferred") lets the RP express that the browser should try to create a client-side discoverable credential, but that it may fall back to a non-discoverable credential if the authenticator presented by the user doesn't support it (e.g. a U2F/CTAP1 security key). The credProps extension (https://w3c.github.io/webauthn/#credprops) can be used to report at registration time whether the newly created credential is client-side discoverable or not. This is useful for the RP in the "preferred" case.

Risks



Interoperability and Compatibility

Support on Windows >= 1903 depends on Microsoft implementing it in Windows. Support on Android depends on Android's WebAuthn library supporting it. Android WebView does not support WebAuthn.

Gecko: No signal

WebKit: No signal

Web developers: No signals


Debuggability

This feature will be supported by Chrome's Virtual Authenticator API implementation.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

No Support on Windows >= 1903 depends on Microsoft implementing it in Windows. Support on Android depends on Android's WebAuthn library supporting it. Android WebView does not support WebAuthn.

Is this feature fully tested by web-platform-tests?

No This feature will be supported by Chrome's Virtual Authenticator implementation and will be covered by WPTs.

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5701094648840192
Reply all
Reply to author
Forward
0 new messages