Web Authentication Level 1 is a W3C Recommendation

WebAuthn LogoThe Web Authentication Working Group published Web Authentication: An API for accessing Public Key Credentials Level 1 (WebAuthn) as a W3C Recommendation on March 4, 2019. This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. As a core component of the FIDO Alliance’s FIDO2 set of specifications, WebAuthn is a browser/platform standard for simpler and stronger authentication. It is already supported in Windows 10, Android, and Chrome, Firefox, Edge and Safari Web browsers. Please read more in our Press Release.

Candidate Recommendation (CR) for Web Authentication Specification

The W3C Web Authentication working group is pleased to announce that the Web Authentication specification (WebAuthn) has attained Candidate Recommendation (CR) maturity level. This is a major step towards enabling practical, strong, privacy–preserving authentication on the Web. Web Authentication is a challenge-response protocol employing strongly secure public key cryptography, with per-website key pairs, rather than the simple presentation of phishable, possibly re-used, passwords.

This version is informed by several rounds of interoperability testing among multiple browser and authenticator vendors. Members of the working group have closely coordinated with the FIDO Alliance to ensure that FIDO2 Client To Authenticator Protocol (CTAP) implementations will work well with WebAuthn. We have also closely coordinated with the W3C Credential Management API work.

The abstract of the specification is:

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given Relying Party, are created and stored on an authenticator by the user agent in conjunction with the web application. The user agent mediates access to public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to relying parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.

Public implementations in Firefox and Chrome

Chrome and Firefox now have public client-side implementations of the Web Authentication API (Working Draft version 7).

Firefox’s implementation is in Firefox Nightly. It is scheduled to migrate to the Firefox Beta and Developer editions in March and to the release edition in May.

Chrome’s implementation is hidden behind a flag in Chrome 65.

J.C. Jones has a blog post with pointers to some some server-side code for testing.

Meeting minutes, 2018

Links to meeting minutes in 2018:
January 3, 2018
January 10, 2018
January 17, 2018
No meeting January 24th (FIDO plenary).
January 31, 2018
February 7, 2018
February 14, 2018
February 21, 2018
February 28, 2018
March 7, 2018
March 14, 2018
No meeting March 21st (IETF).
March 28, 2018
No meeting April 4th (IIW).
April 11, 2018
No meeting April 18th (RSA).
April 25, 2018
May 2, 2018
May 9, 2018
May 16, 2018
No meeting May 23nd (FIDO plenary).
May 30, 2018
June 6, 2018
June 13, 2018
June 20, 2018
June 27, 2018
No meeting July 4th (holiday).
July 11, 2018
July 18, 2018
July 25, 2018
August 1, 2018
August 8, 2018
August 15, 2018
August 22, 2018
August 29, 2018
September 5, 2018
September 12, 2018
September 19, 2018
September 26, 2018
October 3, 2018
No meeting October 10th (FIDO plenary).
October 17, 2018
October 22, 2018: F2F meeting at TPAC
No meeting October 24th (TPAC).
October 31, 2018
No meeting November 7th (IETF).
November 14, 2018
No meeting November 21st (pre-Thanksgiving).
November 28, 2018
December 5, 2018
No meeting December 12th.
December 19, 2018
No meeting December 26th.

Meeting minutes, 2017

Links to meeting minutes in 2017:
January 4, 2017
January 11, 2017
January 18, 2017
No meeting January 25th.
February 1, 2017
February 8, 2017
February 13, 2017: face to face meeting in San Francisco
February 22, 2017
March 1, 2017
March 8, 2017
March 15, 2017
March 22, 2017
No meeting March 29th (IETF).
April 5, 2017
April 12, 2017
April 14, 2017
April 19, 2017
April 26, 2017
May 3, 2017
No meeting May 10th (FIDO plenary).
May 17, 2017
May 24, 2017
May 31, 2017
June 7, 2017
June 14, 2017
June 21, 2017
June 28, 2017
July 5, 2017
July 12, 2017
No meeting July 19th (IETF).
July 26, 2017
August 2, 2017
August 9, 2017
August 16, 2017
August 23, 2017
August 30, 2017
September 6, 2017
September 13, 2017
September 20, 2017
No meeting September 27th (FIDO plenary).
October 4, 2017
October 11, 2017: face to face meeting in Mountain View
October 18, 2017
October 25, 2017
November 1, 2017
November 9, 2017: face to face at TPAC 2017
No meeting November 15th (IETF).
November 22, 2017
November 29, 2017
December 6, 2017
December 13, 2017
December 20, 2017
No meeting December 27th.

Face-to-face meeting in San Francisco, 13 February 2017

The Web Authentication Working Group will have a face-to-face meeting on February 13th in San Francisco during the week of the RSA Conference. Once again, Microsoft is hosting us in their office at 555 California St.

Advance registration is required. Please fill out the registration form to tell us you are coming! We hope to see you there and will post an agenda here shortly!

Fourth working draft published

The W3C Web Authentication working group is pleased to announce publication of the fourth public working draft of the W3C Web Authentication specification.

We solicit your continued feedback – especially feedback based on implementations. If you’re not already a member, you can join the public working group mailing list at https://lists.w3.org/Archives/Public/public-webauthn/.