webauthn
webauthn copied to clipboard
w3c
Web Authentication: An API for accessing Public Key Credentials
3rd party javascript running on a page is able to call Webauthn API using the rpId of the 1st party origin context. This allows attackers with control over any JS...
The [`Public Key Credential Source`](https://www.w3.org/TR/webauthn-2/#public-key-credential-source) is currently defined as containing: - `type` - `id` - `privateKey` - `rpId` - `userhandle` - `otherUI` The definition does not currently say anything about...
[submitting on behalf of @leshi & @arnar and their collaborator Alex Takakuwa ] **https://lists.w3.org/Archives/Public/public-webauthn/2018May/0464.html:** Subject: Recovering from Device Loss in WebAuthn **From: Alex Takakuwa ** To: [email protected] In April, we...
WebAuthn is rather difficult to learn, for a few reasons. Now that the spec has settled on "discoverable credentials", it's especially confusing that the actual browser API does not use...
Step 16 of registration ( https://w3c.github.io/webauthn/#sctn-registering-a-new-credential ) is: > Verify that the "alg" parameter in the credential public key in authData matches the alg attribute of one of the items...
FIDO credential decommissioning (with 3 cases) is specified in clause 1.3.5. However no API is defined yet for that end. Would like to raise the issue and request discussions here....
For a normal attestation during make credential the batch key is always signing over a new public key, preventing an attacker from controlling the output. In the DPK case the...
On WebAuthn WG call on 2021-08-25, a proposal concerning [secure payment confirmation (SPC)](https://github.com/w3c/secure-payment-confirmation) was discussed which probably originated from web payments groups. Attaching for more details: [[WebAuthn WG August 2021]...
Issue #1637 introduces possible experiences in a future WebAuthn, various aspects of which are enabled by "syncing platform credentials" via platform providers' sync fabrics. The spec will need updating to...
RP currently have 4 options for requesting attestation. enum [AttestationConveyancePreference] { ["none"], ["indirect"], ["direct"], ["enterprise"] }; In general, we want a RP to be able to request any one of...