Candidate Recommendation (CR) for Web Authentication Specification

The W3C Web Authentication working group is pleased to announce that the Web Authentication specification (WebAuthn) has attained Candidate Recommendation (CR) maturity level. This is a major step towards enabling practical, strong, privacy–preserving authentication on the Web. Web Authentication is a challenge-response protocol employing strongly secure public key cryptography, with per-website key pairs, rather than the simple presentation of phishable, possibly re-used, passwords.

This version is informed by several rounds of interoperability testing among multiple browser and authenticator vendors. Members of the working group have closely coordinated with the FIDO Alliance to ensure that FIDO2 Client To Authenticator Protocol (CTAP) implementations will work well with WebAuthn. We have also closely coordinated with the W3C Credential Management API work.

The abstract of the specification is:

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given Relying Party, are created and stored on an authenticator by the user agent in conjunction with the web application. The user agent mediates access to public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to relying parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.

Public implementations in Firefox and Chrome

Chrome and Firefox now have public client-side implementations of the Web Authentication API (Working Draft version 7).

Firefox’s implementation is in Firefox Nightly. It is scheduled to migrate to the Firefox Beta and Developer editions in March and to the release edition in May.

Chrome’s implementation is hidden behind a flag in Chrome 65.

J.C. Jones has a blog post with pointers to some some server-side code for testing.

Meeting minutes, 2018

Links to meeting minutes in 2018:
January 3, 2018
January 10, 2018
January 17, 2018
No meeting January 24th (FIDO plenary).
January 31, 2018
February 7, 2018
February 14, 2018
February 21, 2018
February 28, 2018
March 7, 2018
March 14, 2018
No meeting March 21st (IETF).
March 28, 2018
No meeting April 4th (IIW).
April 11, 2018
No meeting April 18th (RSA).
April 25, 2018
May 2, 2018
May 9, 2018
May 16, 2018
No meeting May 23nd (FIDO plenary).
May 30, 2018
June 6, 2018
June 13, 2018
June 20, 2018
June 27, 2018
No meeting July 4th (holiday).
July 11, 2018
July 18, 2018
July 25, 2018
August 1, 2018
August 8, 2018

Meeting minutes, 2017

Links to meeting minutes in 2017:
January 4, 2017
January 11, 2017
January 18, 2017
No meeting January 25th.
February 1, 2017
February 8, 2017
February 13, 2017: face to face meeting in San Francisco
February 22, 2017
March 1, 2017
March 8, 2017
March 15, 2017
March 22, 2017
No meeting March 29th (IETF).
April 5, 2017
April 12, 2017
April 14, 2017
April 19, 2017
April 26, 2017
May 3, 2017
No meeting May 10th (FIDO plenary).
May 17, 2017
May 24, 2017
May 31, 2017
June 7, 2017
June 14, 2017
June 21, 2017
June 28, 2017
July 5, 2017
July 12, 2017
No meeting July 19th (IETF).
July 26, 2017
August 2, 2017
August 9, 2017
August 16, 2017
August 23, 2017
August 30, 2017
September 6, 2017
September 13, 2017
September 20, 2017
No meeting September 27th (FIDO plenary).
October 4, 2017
October 11, 2017: face to face meeting in Mountain View
October 18, 2017
October 25, 2017
November 1, 2017
November 9, 2017: face to face at TPAC 2017
No meeting November 15th (IETF).
November 22, 2017
November 29, 2017
December 6, 2017
December 13, 2017
December 20, 2017
No meeting December 27th.

Face-to-face meeting in San Francisco, 13 February 2017

The Web Authentication Working Group will have a face-to-face meeting on February 13th in San Francisco during the week of the RSA Conference. Once again, Microsoft is hosting us in their office at 555 California St.

Advance registration is required. Please fill out the registration form to tell us you are coming! We hope to see you there and will post an agenda here shortly!

Fourth working draft published

The W3C Web Authentication working group is pleased to announce publication of the fourth public working draft of the W3C Web Authentication specification.

We solicit your continued feedback – especially feedback based on implementations. If you’re not already a member, you can join the public working group mailing list at https://lists.w3.org/Archives/Public/public-webauthn/.

New public working draft of the W3C Web Authentication Specification

The W3C Web Authentication working group is pleased to announce publication of a new public working draft of the W3C Web Authentication specification. While this W3C Working Draft is similar in most respects to the First Public Working Draft, it contains numerous refinements intended to enhance the readability and clarity of the specification. These resulted from extensive ongoing review of the first public draft. Changes include separating the authenticator model from the defined attestation formats, clarifying the use of extensions, and defining some additional extensions. Thanks to all of you who reviewed the first public draft!

We solicit your continued feedback – especially feedback based on implementations. Reviews received before the working group meeting on Tuesday, September 20th at TPAC would be particularly useful. If you’re not already a member, you can join the public working group mailing list at https://lists.w3.org/Archives/Public/public-webauthn/. The working group expects to be issuing more frequent working drafts as we approach a Candidate Recommendation, so keep the great feedback coming!

Minutes from recent meetings

Links to recent meeting minutes, June-December 2016:
June 01, 2016
June 08, 2016
June 15, 2016
June 22, 2016
July 06, 2016
July 13, 2016
July 27, 2016
August 03, 2016
August 10, 2016
August 17, 2016
August 31, 2016
September 07, 2016
September 14, 2016
September 20, 2016 at TPAC
September 21, 2016 TPAC 2FA Breakout
September 28, 2016
No meeting October 5th.
October 12, 2016
October 19, 2016
October 26, 2016
November 2, 2016
November 9, 2016
No meeting November 16th.
No meeting November 23rd.
November 30, 2016
December 7, 2016
December 14, 2016
December 21, 2016
No meeting December 28th.

First Public Working Draft of W3C Web Authentication Specification

The W3C Web Authentication working group is pleased to announce the publication of the First Public Working Draft of the W3C Web Authentication specification.  This is an important step towards making unphishable privacy-preserving authentication available on the Web and reducing reliance on passwords.  Per the W3C process, the publication of the First Public Working Draft “is a signal to the community to begin reviewing the document”.  Your active reviews of the specification are solicited – particularly those based upon experiences implementing and using it.

Here’s the abstract:

This specification defines an API that enables web pages to access WebAuthn compliant strong cryptographic credentials through browser script. Conceptually, one or more credentials are stored on an authenticator, and each credential is scoped to a single Relying Party. Authenticators are responsible for ensuring that no operation is performed without the user’s consent. The user agent mediates access to credentials in order to preserve user privacy. Authenticators use attestation to provide cryptographic proof of their properties to the relying party. This specification also describes a functional model of a WebAuthn compliant authenticator, including its signature and attestation functionality.

This specification is derived from the November 12, 2015 member submission of FIDO 2.0 Platform Specifications.  Content from the three submitted specifications has been merged into a single Web Authentication specification, also incorporating changes agreed to by the Web Authentication working group.

Early implementations of this and related specifications are already available.  The Microsoft Edge browser has an implementation of a slightly earlier version of the specification.  Likewise, the Google Chrome and the Mozilla Firefox browsers have implementations of earlier Web authentication specifications, which will both serve as a basis for implementing the W3C Web Authentication specification.

You can join the public working group mailing list at https://lists.w3.org/Archives/Public/public-webauthn/.  Taking your feedback into account, the working group aims to reach a stable specification draft (Candidate Recommendation) by September, 2016.   We look forward to receiving your feedback on this specification!