Jump to content

WebAuthn

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Mulad (talk | contribs) at 03:47, 12 May 2018 (Create a page for WebAuthn, the W3C Web Authentication standard). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

WebAuthn (Web Authentication) is an effort by the World Wide Web Consortium (W3C)[1][2], with input from the FIDO Alliance[3], to standardize an interface for public-key authentication of users to web-based applications and services. It implements an extension of the W3C's more general Credential Management API, which is an attempt to formalize the interaction between websites and in-browser password managers that store username/password combinations or other "federated" credentials such as authentication tokens generated single sign-on services. However, WebAuthn is intended to work with multi-factor authentication, possibly in completely passwordless schemes that use gestures or biometric verification instead of requiring users to type in long, complex strings of characters.

WebAuthn is designed so that it can work with a range of public-key authenticator mechanisms, from pure software implementations to those using specialized hardware environments, such as a processor's trusted execution environment, a Trusted Platform Module, or external hardware tokens accessed via USB, Bluetooth Low Energy, or near-field communications (NFC). This builds upon the FIDO Alliances's previous Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F) standards, and is designed to work with the in-progress Client-to-Authenticator Protocol (CTAP) for communicating with hardware authentication devices. WebAuthn and CTAP are both outgrowths of the "FIDO2" (or "FIDO 2.0") project.[3]

Browser and device support

The WebAuthn Level 1 standard was published as a Candidate Recommendation by the Web Authentication Working Group on March 20, 2018.[1] Google Chrome has supported WebAuthn since version 65, though it was disabled by default. It is planned to be enabled in version 67.[4] Mozilla Firefox, which had not fully supported the previous FIDO U2F standard, included and enabled WebAuthn in Firefox version 60, released on May 9, 2018.[5] Microsoft Edge had implemented an iteration of the earlier FIDO2 API that interfaced with Windows Hello, though it differed from the W3C specification in a number of ways.[6] Support that matches the published standard is expected later in 2018.[4]

Existing FIDO U2F hardware tokens are largely compatible with the WebAuthn standard, though WebAuthn added the ability to reference a unique per-account "user handle" identifier, which older hardware tokens are unable to store.[1] The first new token able to handle the new "FIDO2" style of key storage is the second-generation Security Key by Yubico, announced on April 10th, 2018.[7]

API

The WebAuthn API extends the Credential Mangement navigator.credentials.create() and navigator.credentials.get() JavaScript methods so they accept a publicKey parameter. The create() method is used for registering public key authenticators as part of associating them with user accounts (possibly at initial account creation time, but more likely when adding a new security device to an existing account), and the get() method is used for authenticating (such as when logging in).

To check if a browser supports WebAuthn, scripts should check if the window.PublicKeyCredential interface is defined. In addition to PublicKeyCredential, the standard also defines the AuthenticatorResponse, AuthenticatorAttestationResponse, and AuthenticatorAssertionResponse interfaces in addition to a variety of dictionaries and other datatypes.

The API does not allow direct access to or manipulation of private keys, beyond requesting their initial creation.

References

  1. ^ a b c Balfanz; et al. (2018-03-20). "Web Authentication: An API for accessing Public Key Credentials Level 1". W3C. Retrieved 2018-05-11. {{cite web}}: Explicit use of et al. in: |author= (help)
  2. ^ "Web Authentication Working Group". W3C. Retrieved 2018-05-11.
  3. ^ a b "FIDO2 Project". FIDO Alliance. Retrieved 2018-05-11.
  4. ^ a b Casey, Henry T. (2018-04-10). "Chrome to Support New Password-Free Logins". Tom's Guide. Retrieved 2018-05-11.
  5. ^ Shankland, Stephen (2018-05-09). "Firefox moves browsers into post-password future with WebAuthn tech". CNET. Retrieved 2018-05-11.
  6. ^ Carey; et al. (2018-02-08). "Web authentication and Windows Hello". Microsoft Edge Dev Guide. Microsoft. Retrieved 2018-05-11. {{cite web}}: Explicit use of et al. in: |author= (help)
  7. ^ "Yubico Launches New Developer Program and Security Key for FIDO2 and WebAuthn W3C Specifications" (Press release). 2018-04-10. Retrieved 2018-05-11.
Retrieved from "https://en.wikipedia.org/w/index.php?title=WebAuthn&oldid=840783015"