02/18/2026 W3C Web Authentication Meeting Agenda from ANTHONY NADALIN on 2026-02-17 (public-webauthn@w3.org from February 2026)

From: ANTHONY NADALIN <nadalin@prodigy.net>
Date: Tue, 17 Feb 2026 22:38:42 +0000
To: Michael Jones <michael_b_jones@hotmail.com>, Web Authentication Working Group <public-webauthn@w3.org>, Christiaan Brand <cbrand@google.com>, Ian Jacobs <ij@w3.org>, Addison Phillips <addisoni18n@gmail.com>
Message-ID: <BYAPR16MB2759EC7034CE3ABEE907DF1BAA6DA@BYAPR16MB2759.namprd16.prod.outlook.com>
 Here is the agenda for the 02/18/2026 W3C Web Authentication.  WG Meeting, that will take place as a 30-minute teleconference. Remember, call is at 12PM Pacific Time. Reminder that we will be using ZOOM from now on, please make sure you go to Web Authentication bi-weekly (w3.org)<https://www.w3.org/events/meetings/4bab6a90-bdb5-400f-ab87-64a7a852d86a/20230517T150000>

Select scribe please someone be willing to scribe so we can get down to the issues


  1.
Here is the link to the Level 2 Webauthn Recommendation  https://www.w3.org/TR/2021/REC-webaut
  2.  L3 CR Web Authentication: An API for accessing Public Key Credentials - Level 3<https://www.w3.org/TR/webauthn-3/>

  3.
Consensus to make L3 CR the L4 First Public Working Draft (Done)
  4.
TPAC 2026 - October 26-30th  Dublin, Ireland - TPAC 2026 | 2026 | TPAC | Events | W3C<https://www.w3.org/events/tpac/2026/tpac-2026/>

  1.
WebAuthn Recharter Discussion - Web Authentication Working Group Charter<https://www.w3.org/2024/04/wg-webauthn-charter.html>
     *
Rechartering WebAuthn · Issue #2388 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2388>
  2.
These were the topics discussed at 2025 TPAC
     *
Discovery of migrated credentials · Issue #2340 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2340>
     *
Add Credential Manager Trust Group Key (CMTG) extension · Issue #2338 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2338>
     *
WebAuthn requestUserInfo -- easier account creation · Issue #2336 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2336>
     *
Explainer for Level 4 · Issue #2297 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2297>
     *
Update Credential Record to suggest storing RP ID as well for better Related Origins support · Issue #2257 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2257>
     *
Should an RP be able to provide finer grained authenticator filtering in attestation options? · Issue #1688 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1688>
  3.

  4.
L3 Candidate Recommendation open pull requests and open issues, these must be resolved before we go to Recomendation
     *
w3c/webauthn#2319<https://github.com/w3c/webauthn/issues/2319>
     *
w3c/webauthn#2321<https://github.com/w3c/webauthn/issues/2321>

  5.
L3 Recommendation · <https://github.com/w3c/webauthn/milestone/35> Issues
     *
related origins enables sharing across relying parties · Issue #2319 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2319>
     *
privacy implications of cross-origin iframe · Issue #2321 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2321>
     *
Fix incorrect ASN.1 encoding in android-key test vector by emlun · Pull Request #2378 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2378>
     *
Editors, Contributors and Acknowledgements Review · Issue #2385 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2385>
     *

  6.
L4 Pull requests · w3c/webauthn<https://github.com/w3c/webauthn/pulls>

     *
Privacy considerations for cross-origin usage by timcappalli · Pull Request #2391 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2391>
     *
Adds additional hints for form factors by timcappalli · Pull Request #2387 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2387>
     *
Deprecate Authenticator Attachment in favor of Hints by akshayku · Pull Request #2383 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2383>
     *
Add new credential signature count parameter to Set Credential Properties virtual authenticator endpoint by MasterKale · Pull Request #2382 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2382>
     *
Add fallbackUrl client extension for hybrid transport authentication by harshlal028 · Pull Request #2380 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2380>
     *
Fix missing ASN.1 values in android-key test vector by Unknown-Robot · Pull Request #2379 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2379>
     *
Fix incorrect ASN.1 encoding in android-key test vector by emlun · Pull Request #2378 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2378>
     *
Add "Credential Manager Trust Group (CMTG) Key" extension by timcappalli · Pull Request #2377 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2377>
     *
remoteDesktopClientOverrideJSON Extension by akshayku · Pull Request #2375 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2375>
     *
Forbid authenticator data from containing cleartext PRF outputs by emlun · Pull Request #2372 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2372>
     *
Delete inaccurate recommendation to abort on unfocus by emlun · Pull Request #2367 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2367>
     *
[Do not merge yet] Add `requestUserInfo` by nsatragno · Pull Request #2358 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2358>
     *
Add Immediate Mediation by kenrb · Pull Request #2291 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2291>
     *
Exclude all platform authenticators that use self attesation from hav… by zacknewman · Pull Request #2150 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2150>
     *
Add new error codes by MasterKale · Pull Request #2095 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2095>
     *
Add "sign" extension by emlun · Pull Request #2078 · w3c/webauthn<https://github.com/w3c/webauthn/pull/2078>


  7.
L4 Issues · w3c/webauthn<https://github.com/w3c/webauthn/issues?q=is%3Aissue%20state%3Aopen%20milestone%3A%22L4%20WD02%20Milestone%22>s
     *
Virtual authenticator should allow `counter` to always be `0` · Issue #2363 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2363>
     *
Client terminology hints for external authenticator form factors · Issue #2360 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2360>
     *
Add hybrid fallback URL extension · Issue #2341 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2341>
     *
Discovery of migrated credentials · Issue #2340 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2340>
     *
Add Credential Manager Trust Group Key (CMTG) extension · Issue #2338 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2338>
     *
WebAuthn requestUserInfo -- easier account creation · Issue #2336 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2336>
     *
Section 6.5.5. should be moved to section 6.6. · Issue #2318 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2318>
     *
Add onlyCreate to prevent creation of a new key for existing user · Issue #2313 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2313>
     *
Explainer for Level 4 · Issue #2297 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2297>
     *
Conditional creation incompatible with `uvInitialized` semantics in Chapter 7? · Issue #2295 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2295>
     *
Update Credential Record to suggest storing RP ID as well for better Related Origins support · Issue #2257 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2257>
     *
Allow immediate mediation · Issue #2228 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2228>
     *
`credProps` output directions contradict notes · Issue #2213 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2213>
     *
"Verify" is undefined · Issue #2208 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2208>
     *
JSON parsing should be on top of Infra primitives · Issue #2207 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2207>
     *
Use of "valid domain" seems wrong · Issue #2206 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2206>
     *
Usage of "effective domain" seems wrong · Issue #2205 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2205>
     *
Handling of non-fully active documents for PublicKeyCredential methods · Issue #2184 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2184>
     *
[Editorial] platform authenticator relationship to WebAuthn Client and Client Device · Issue #2164 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2164>
     *
Add AAGUID to credProps · Issue #2157 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2157>
     *
Add `challengeUrl` · Issue #2152 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2152>
     *
Allow `platform`-based self attestation with non-zero AAGUID when `AttestationConveyancePreferenceOption` `"none"` is used · Issue #2146 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2146>
     *
Allow Conditional Mediation without autofill · Issue #2144 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2144>
     *
UTF-8 decode should not be required for response.clientDataJSON and cData · Issue #2100 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2100>
     *
Return more nuanced errors · Issue #2096 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2096>
     *
[[Create]] should not access the global object directly · Issue #2092 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2092>
     *
Additional guidance/clarification on RP ID and origin validation · Issue #2059 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2059>
     *
excludeCredentials on Get · Issue #2057 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2057>
     *
CollectedClientData serialization is confusing WebIDL and/or Infra values for ECMAScript values · Issue #2056 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2056>
     *
Deprecate AuthenticatorAttachment in favor of PublicKeyCredentialHints. · Issue #2053 · w3c/webauthn<https://github.com/w3c/webauthn/issues/2053>
     *
Adding some sentences to describe credential sharing between multiple users · Issue #1921 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1921>
     *
Update Authenticator Taxonomy examples section · Issue #1912 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1912>
     *
Clarify the need for truly randomly generated challenges (aka challenge callback issue) · Issue #1856 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1856>
     *
Prescriptive behaviours for Autofill UI · Issue #1800 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1800>
     *
Provide passwordless example, or update 1.3.2. to be a passwordless example · Issue #1735 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1735>
     *
Public Key Credential Source and Extensions · Issue #1719 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1719>
     *
Split RP ops "Registering a new credential" into one with and one without attestation · Issue #1710 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1710>
     *
Switch to permissive copyright license? · Issue #1705 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1705>
     *
Platform Errors for attestations. · Issue #1697 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1697>
     *
Should an RP be able to provide finer grained authenticator filtering in attestation options? · Issue #1688 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1688>
     *
Lookup Credential Source by Credential ID Algorithm returns sensitive data such as the credential private key · Issue #1678 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1678>
     *
Trailing position of metadata · Issue #1646 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1646>
     *
[Editorial] Truncation description inaccurate · Issue #1645 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1645>
     *
Mechanism for encoding *direction* metadata may need more work · Issue #1644 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1644>Regarding the issue of Credential ID exposure(13.5.6), from what perspective should RP compare RK and NRK and which should be adopted? · Issue #1484 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1484>
     *
Use of in-field metadata not preferred · Issue #1643 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1643>
     *
Unicode "tag" characters are deprecated for language tagging · Issue #1642 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1642>Support for remote desktops · Issue #1577 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1577>
     *
CollectedClientData.crossOrigin default value and whether it is required · Issue #1631 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1631>
     *
Support for remote desktops · Issue #1577 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1577>
     *
double check whether the Secure Payment Confirmation effort has implications on the WebAuthn spec · Issue #1492 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1492>
     *
Regarding the issue of Credential ID exposure(13.5.6), from what perspective should RP compare RK and NRK and which should be adopted? · Issue #1484 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1484>
     *
Clearly define the way how RP handles the extensions · Issue #1258 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1258>
     *
export definitions? · Issue #1049 · w3c/webauthn<https://github.com/w3c/webauthn/issues/1049>

  8.
Other open issues or discussions
  9.
Adjourn
Received on Tuesday, 17 February 2026 22:38:53 UTC