First Public Working Draft of W3C Web Authentication Specification

The W3C Web Authentication working group is pleased to announce the publication of the First Public Working Draft of the W3C Web Authentication specification.  This is an important step towards making unphishable privacy-preserving authentication available on the Web and reducing reliance on passwords.  Per the W3C process, the publication of the First Public Working Draft “is a signal to the community to begin reviewing the document”.  Your active reviews of the specification are solicited – particularly those based upon experiences implementing and using it.

Here's the abstract:

This specification defines an API that enables web pages to access WebAuthn compliant strong cryptographic credentials through browser script. Conceptually, one or more credentials are stored on an authenticator, and each credential is scoped to a single Relying Party. Authenticators are responsible for ensuring that no operation is performed without the user’s consent. The user agent mediates access to credentials in order to preserve user privacy. Authenticators use attestation to provide cryptographic proof of their properties to the relying party. This specification also describes a functional model of a WebAuthn compliant authenticator, including its signature and attestation functionality.

This specification is derived from the November 12, 2015 member submission of FIDO 2.0 Platform Specifications.  Content from the three submitted specifications has been merged into a single Web Authentication specification, also incorporating changes agreed to by the Web Authentication working group.

Early implementations of this and related specifications are already available.  The Microsoft Edge browser has an implementation of a slightly earlier version of the specification.  Likewise, the Google Chrome and the Mozilla Firefox browsers have implementations of earlier Web authentication specifications, which will both serve as a basis for implementing the W3C Web Authentication specification.

You can join the public working group mailing list at https://lists.w3.org/Archives/Public/public-webauthn/.  Taking your feedback into account, the working group aims to reach a stable specification draft (Candidate Recommendation) by September, 2016.   We look forward to receiving your feedback on this specification!