Hi Lisa,
> Also firefox seem to be quite advanced in their webauth implementation (see https://wiki.mozilla.org/Security/CryptoEngineering#Web_Authentication) and looking though the wg minuets it seems Edge also has implementation (https://blogs.windows.com/msedgedev/2016/04/12/a-world-without-passwords-windows-hello-in-microsoft-edge/) - there may be better links but these seem to show that enough features are implemented to meet our needs for conformance to our SC.
I think you are confusing ‘implemented’ and available, Chrome has implemented and released the features, but the others have not. They have also not committed to when those features will be released. I would expect 2018, but if they hit issues, perhaps not.
> Where do you see that it is experimental? looking at your link I could just find the following: "Web Authentication API SUPPORTED Build Number 14291+ "
Where it says: “As of EdgeHTML 14, the implementation is prefixed”
For us to rely on an implementation (i.e. accessibility support) there needs to be something there.
NB: I’m much less concerned by things like adding-icons or adjusting text, but this is about security.
> You can use multi-factor identification with Bluetooth or generate a RC code (on the browser)
That’s not a web-standard method, I went through how those options are expensive here:
https://lists.w3.org/Archives/Public/w3c-wai-gl/2017OctDec/0722.html
We need a standardised method, and even then it does not cover 2 factors!
-Alastair