Candidate Recommendation (CR) for Web Authentication Specification

The W3C Web Authentication working group is pleased to announce that the Web Authentication specification (WebAuthn) has attained Candidate Recommendation (CR) maturity level. This is a major step towards enabling practical, strong, privacy–preserving authentication on the Web. Web Authentication is a challenge-response protocol employing strongly secure public key cryptography, with per-website key pairs, rather than the simple presentation of phishable, possibly re-used, passwords.

This version is informed by several rounds of interoperability testing among multiple browser and authenticator vendors. Members of the working group have closely coordinated with the FIDO Alliance to ensure that FIDO2 Client To Authenticator Protocol (CTAP) implementations will work well with WebAuthn. We have also closely coordinated with the W3C Credential Management API work.

The abstract of the specification is:

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given Relying Party, are created and stored on an authenticator by the user agent in conjunction with the web application. The user agent mediates access to public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to relying parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.

About Michael Jones

I am working with a broad coalition of people across multiple industries to build a ubiquitous identity layer for the Internet.

Leave a Reply

Your email address will not be published. Required fields are marked *

Before you comment here, note that your IP address is sent to Akismet, the plugin we use to mitigate spam comments.