FYI: Intent to implement and ship: Web Authentication

From:  dev-platform
<> on behalf
of "J.C. Jones" <>
Date:  Friday, November 11, 2016 at 1:18 PM
To:  "" <>
Subject:  Intent to implement and ship: Web Authentication

The W3C Web Authentication Working Group [1] was formed to produce a
browser-facing standard for using strong, cryptographic scoped credentials
to authenticate to web applications in an un-phishable way. The Working
Group began working from specifications produced by the FIDO Alliance, but
through the W3C process ensured there was a web-focus to the final result.

We have been tracking the Web Authentication standard since last yearšs
FIDO U2F announcement [2],  and we believe Web Authentication provides a
valuable augmentation to web application security in an inclusive way. We
are proposing to implement the current draft specification for Web
Authentication [3], and then track the evolution through to its final
Recommendation state.

Background: The Mozilla Foundation joined the FIDO Alliance to support the
work of providing augmented security to user logins across the Web. We
encouraged FIDO to evolve their browser specifications within the W3C, to
enable larger community involvement than simply Alliance members. This
specification is a result of that wider effort.

Web Authentication defines a way to use credentials from a secure element
to authenticate to web applications using public key cryptography. As with
FIDO U2F, the browseršs role is mainly to provide the interface between the
secure element (such as a USB dongle) and the web application, and to
enforce a scoped security model to bind the resulting attestation to the
specific web application.

Web Authentication support is currently in development for Microsoft Edge
[4] [5]. Google Chromešs support is also in-development.  Several websites
have deployed support for U2F, the predecessor to WebAuthn, including
Gmail, Dropbox, and Github. Additionally, there are many U2F devices in use
today which will function with the Web Authentication API.

Proposed: To implement the Web Authentication API, with support for the USB
U2F HID token attestation format.

Please send comments on this proposal to the list no later than 21 November






- J.C., Crypto Engineering
dev-platform mailing list

Received on Monday, 14 November 2016 07:50:39 UTC