Transition Request: Web Authentication to Proposed Recommendation

*# Document title, URLs, estimated publication date*

*Title:* Web Authentication: An API for accessing Public Key Credentials
Level 1


*Publication date:* 25 September 2018

*Last Published:*

*Latest Editor’s Draft:*

*# Abstract*
This specification defines an API enabling the creation and use of strong,
attested, scoped, public key-based credentials by web applications, for the
purpose of strongly authenticating users.

*# Status*

*# Comments*
Send comments to:
Feedback is due 02 October 2018
[Or 7 days from day Request is approved]

*# Link to group's decision to request transition*
Call for Consensus:

*# Substantive Changes*

*# Requirements satisfied*
Yes. No changes

*# Dependencies met (or not)*Met
## *The spec has normative dependencies on the following W3C Recs:*

## *The spec has normative dependencies on the following non-W3C standards:*

Base64url encoding  [RFC4648]

CBOR [RFC7049]

CDDL [Internet Draft]

COSE [RFC8152].


ECMAScript  [ECMAScript].


OAUTH 2 [RFC6749]

JSON Web Key [RFC7517]

CTAP (Client to Authenticator Protocol) [FIDO Alliance]

*# Wide Review*

*Privacy Interest Group:*

*Web Payments Working Group:* WG discussion (12/14/2017): https://www.w3.

*Accessible Platform Architectures (APA) Working Group:*

*IETF Token Binding Working Group:*

*Public review:*
The API was the subject a critical blog post.  The WG reviewed these claims
and decided that changes in this API are not needed - changes might be
advisable (but optional) in CTAP (the companion FIDO spec).  Of note, these
crypto-savvy researchers identified less-than-ideal choices the WG had
made, typically for good reason, and did not identify any showstopper

*FIDO Alliance FIDO2 WG review*

*# Issues addressed*

*# Formal Objections*

*# Implementation*
*Web Payments Demo implementation* https://www.w3.
*Worldpay Web Payments and Web Authentication Demo *

*Mozilla’s Firefox browser implements W3C Web Authentication API since
Version 60.*

*Microsoft has added support in its Edge Browser.*

*Google’s Chrome supports the W3C Web Authentication API in Chrome 70
(Sept. 2018).*

*The Web AuthN WG has conducted three interop events.*

*# Patent disclosures*

Tony Nadalin
John Fontana


John Fontana

Identity and Standards Analyst | Yubico <>

Phone: +1 303 301 4437
Skype: j_fontana

Received on Friday, 21 September 2018 21:22:20 UTC