webauthn
webauthn copied to clipboard
w3c
Web Authentication: An API for accessing Public Key Credentials
## Proposed Change We should consider adding: [[ As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in...
## Proposed Change During credential registration in particular (and also given that attestation can now, in theory, be requested on assertions), the [attestation](https://w3c.github.io/webauthn/#dom-publickeycredentialrequestoptions-attestation) property can be specified, as a single-valued...
## Proposed Change 6.2 Authenticator Taxonomy examples list needs to be refreshed for ecosystem changes related to passkeys
## Proposed Change The current standard says, with regards to challenge strings, that their main use is to "avoid replay attacks", which certainly agrees with my layman understanding of cryptography....
As far as I (and a few others I talked to) know, there are no production client implementations of the `uvm` extension. We should consider removing it from WebAuthn L3.
As discussed at the face-to-face, this reflects current practice where the AAGUID of platform authenticators are passed through even when attestation is not requested. *** Preview | Diff
## Description When registering a new credential (in particular using passkeys), there exists a weird edge case where the browser APIs succeed but the backend processing fails or hangs. This...
[The enforcement rule for the Nickname Profile in RFC 8266](https://www.rfc-editor.org/rfc/rfc8266#section-2.3) expressly forbids empty strings: > After all of the foregoing rules have been enforced, the entity MUST ensure that the...
## Related An alternate solution to [https://github.com/w3c/webauthn/issues/1568](https://github.com/w3c/webauthn/issues/1568) / the issues described in [https://github.com/w3c/webauthn/issues/1749](https://github.com/w3c/webauthn/issues/1749). ## To Sum Up The current paradigm creates a bad UX, because we have no way of...
Both [`PublicKeyCredentialRpEntity.id`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrpentity-id) and [`PublicKeyCredentialRequestOptions.rpId`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrequestoptions-rpid) represent the same thing (i.e., [RP ID](https://www.w3.org/TR/webauthn-3/#rp-id)); however the former is modeled as a [`DOMString`](https://webidl.spec.whatwg.org/#idl-DOMString) while the latter is modeled as a [`USVString`](https://webidl.spec.whatwg.org/#idl-USVString). These should be...