Overview#W3C WebAuthn (or Web Authentication defines an API enabling the creation and use of strong, attested, scoped, Public Key Credential by web applications, for the purpose of strongly authenticating users.
A Public Key Credential is created and stored by an authenticator at the behest of a W3C WebAuthn Relying Party, subject to user consent. Subsequently, the Public Key Credential can only be accessed by origins belonging to that Relying Party. This scoping is enforced jointly by conforming User-agents and authenticators. Additionally, privacy across Relying Parties is maintained; Relying Parties are not able to detect any properties, or even the existence, of credentials scoped to other Relying Parties.
- The first is Registration, where a Public Key Credential is created on an authenticator, and associated by a Relying Party with the present user’s account (the account MAY already exist or MAY be created at this time).
- The second is Authentication, where the Relying Party is presented with an Authentication Assertion proving the presence and consent of the user who registered the Public Key Credential.
Broadly, compliant authenticators protect Public Key Credential, and interact with user-agents to implement the Web Authentication API. Some authenticators MAY run on the same client device (e.g., smart phone, tablet, desktop PC) as the user-agent is running on. For instance, such an authenticator might consist of a Trusted Execution Environment (TEE) applet, a Trusted Platform Module (TPM), or a Secure Element (SE) integrated into the client device in conjunction with some means for user verification, along with appropriate driver software to mediate access to these components' functionality. Other authenticators MAY operate autonomously from the client device running the user agent, and be accessed over a transport such as Universal Serial Bus (USB), Bluetooth Low Energy (BLE) or Near Field Communications (NFC).
W3C WebAuthn Working Group have closely coordinated with the FIDO Alliance to ensure that FIDO2 Client To Authenticator Protocol (CTAP) implementations will work well with WebAuthn. We have also closely coordinated with the W3C Credential Management API work.
More Information#There might be more information for this subject on one of the following:
- Client To Authenticator Protocol
- Credential Management API
- FIDO Standards
- U2F device
- Web Authentication API
- WebAuthn Attestation
- [#1] - Web Authentication: An API for accessing Public Key Credentials Level 1 - based on information obtained 2018-11-21
- [#2] - Candidate Recommendation (CR) for Web Authentication Specification - based on information obtained 2018-03-20-
- [#3] - WebAuthn - based on information obtained 2018-11-21-