W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2019

Re: [webauthn] Add a way to use webauthn without Javascript (#1255)

From: Taylor Hunt via GitHub <sysbot+gh@w3.org>
Date: Sun, 01 Dec 2019 22:43:32 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-560169100-1575240210-sysbot+gh@w3.org>
I doubt browsers want to revive the `<keygen>` element, but it addressed a lot of design decisions brought up in this thread. A strawman using only already-standardized HTML could look like:

<form method="post" action="/exampleapp/webauthn/finish_assertion">
  <input name="user" autocomplete="username">

  <keygen name="webauthn"
    keyparams="alg -7"
    <!-- fallback for non-implementing browsers goes here -->

  <input type="hidden" autocomplete="webauthn-userid">
  <input type="hidden" name="exampleapp_request_id" value="3a74f2b4-cff0-4f50-8076-2f5532a0d6f3">

The `required` attribute is reused for the WebAuthN API’s `userVerification: 'required'`. `hidden` could be used for `userVerification: 'discouraged'`, and `'preferred'` would be the default.

Multiple credentials as mentioned by @Garnac could be implemented with multiple elements.

Of course, this strawman lacks a lot of the discussed functionality, but I think it’s worth learning from the Web of yesteryear for how one might implement webauthn without JavaScript.

GitHub Notification of comment by tigt
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1255#issuecomment-560169100 using your GitHub account
Received on Sunday, 1 December 2019 22:43:33 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:39 UTC