Intent to Prototype: WebAuthentication API: ResidentKeyRequirement and credProps extension
101 views
Skip to first unread message
Martin Kreichgauer
Aug 19, 2020, 3:40:02 PM8/19/20
to blin...@chromium.org
Contact emails
mart...@google.comExplainer
https://github.com/w3c/webauthn/issues/991Specification
https://w3c.github.io/webauthn/#dom-authenticatorselectioncriteria-residentkeyDesign docs
https://github.com/w3c/webauthn/pull/1191TAG review
N/A (minor API change)Summary
Adds support for the AuthenticatorSelectionCriteria.residentKey property to specify during Web Authentication API (WebAuthn) credential registration whether a client-side discoverable credential should be created. Also adds support for the WebAuthn "credProps" extension, which indicates to the Relying Party whether a created credential is client-side discoverable.Motivation
"Client-side discoverable credentials" are a type of WebAuthn credential that can be challenged by a Relying Party (RP) without needing to provide the credential ID in the WebAuthn API request. Browsers display a list of all discoverable credentials from a given authenticator (external security key or built-in) and let the user choose one to sign in with. Chrome already supports registration of client-side discoverable WebAuthn credentials via the boolean AuthenticatorSelection.requireResidentKey property. The WebAuthn Level 2 spec adds an alternative, enum-valued residentKey property. Two values of that enum, "discouraged" and "required", correspond exactly to the boolean values of requireResidentKey. The third, middle value ("preferred") lets the RP express that the browser should try to create a client-side discoverable credential, but that it may fall back to a non-discoverable credential if the authenticator presented by the user doesn't support it (e.g. a U2F/CTAP1 security key). The credProps extension (https://w3c.github.io/webauthn/#credprops) can be used to report at registration time whether the newly created credential is client-side discoverable or not. This is useful for the RP in the "preferred" case.Risks
Interoperability and Compatibility
Support on Windows >= 1903 depends on Microsoft implementing it in Windows. Support on Android depends on Android's WebAuthn library supporting it. Android WebView does not support WebAuthn.Gecko: No signal
WebKit: No signal
Web developers: No signals
Debuggability
This feature will be supported by Chrome's Virtual Authenticator API implementation.Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
No Support on Windows >= 1903 depends on Microsoft implementing it in Windows. Support on Android depends on Android's WebAuthn library supporting it. Android WebView does not support WebAuthn.Is this feature fully tested by web-platform-tests?
No This feature will be supported by Chrome's Virtual Authenticator implementation and will be covered by WPTs.Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5701094648840192Reply all
Reply to author
Forward
0 new messages