webauthn
webauthn copied to clipboard
w3c
Web Authentication: An API for accessing Public Key Credentials
In #2174 it was mentioned that a cautionary note about _not_ sending PRF data to the server may be appropriate for use cases where the output is used as a...
https://w3c.github.io/webauthn/#webauthn-client-device > [platform authenticators](https://w3c.github.io/webauthn/#platform-authenticators) are bound to a [client device](https://w3c.github.io/webauthn/#client-device) rather than a [WebAuthn Client](https://w3c.github.io/webauthn/#webauthn-client). This isn't always true. Update text.
Both [§7. WebAuthn Relying Party Operations](https://w3c.github.io/webauthn/#sctn-rp-operations) instructs to validate `CollectedClientData.origin` and `.topOrigin` (if present), but do not reference [`crossOrigin`](https://w3c.github.io/webauthn/#dom-collectedclientdata-crossorigin) at all. ## Proposed Change Add a step to verify [`crossOrigin`](https://w3c.github.io/webauthn/#dom-collectedclientdata-crossorigin)...
Related to #1644 ## Proposed Change authenticatorDisplayName is currently a DOMString and does not support localization, specifically language codes and direction. Change to a map following the String Meta spec:...
#1880 added the optional item `authenticatorDisplayName` to [_Credential Record_](https://w3c.github.io/webauthn/#abstract-opdef-credential-record-authenticatordisplayname); however it was not added to Step 27 of the registration ceremony nor Step 23 of the authentication ceremony. Seeing how...
…ing to use none attestation Closes #2146 Related #1962 #2146 raises the possibility of leaving attestation for _all_ platform authenticators based on the argument that much of the information related...
In L3 platform-based authenticators are allowed AAGUIDs that are not all-zero even when _`credentialCreationData.`_[`attestationConveyancePreferenceOption`](https://w3c.github.io/webauthn/#credentialcreationdata-attestationconveyancepreferenceoption) is `"none"`. As a result, there is no additional privacy obtained by replacing self attestation with...
This PR proposes new error codes to be raised across various WebAuthn interactions. There is an assumption that the user has meaningfully interacted with some part of the ceremony to...
Currently the spec states: > Let JSONtext be the result of running [UTF-8 decode](https://encoding.spec.whatwg.org/#utf-8-decode) on the value of response.[clientDataJSON](https://www.w3.org/TR/webauthn-3/#dom-authenticatorresponse-clientdatajson). > >Note: Using any implementation of [UTF-8 decode](https://encoding.spec.whatwg.org/#utf-8-decode) is acceptable as...
## Description As of now, `addVirtualAuthenticator` seems to be window restricted (correct me if I'm wrong / inaccurate). Therefore, I need to transfer my credentials from window to window (and...
