Web Authentication Levels
From MgmtWiki
(Redirected from Web Authentication Level 2)
Contents
Full Title
The W3C Web Authentication standards started calling their first specification Level One knowing that extensions were coming.
Web Authentication Level 2[1] enables the creation and use of strong, attested, scoped, public key cred by web applications for strongly authenticating users.
Context
- This is designed for web applications, not native applications.
- The current draft of the evolving standard is available here.
Glossary
- Authenticator protects public key credentials, and interact with user agents to implement the Web Authentication API. Implementing compliant authenticators is possible in software executing (a) on a general-purpose computing device, (b) on an on-device Secure Execution Environment, Trusted Platform Module (TPM), or a Secure Element (SE), or (c) off device. Authenticators being implemented on device are called platform authenticators. Authenticators being implemented off device (roaming authenticators) can be accessed over a transport method.
Normal Flow
Web Authentication API [1] Section 5
- Registration
- Challenge, user info, RP info
- RP ID, client data hash
- User verification, new key pair
- Authentication
- Challenge
- RP ID, client data hash
- User verification
Solutions
- Your First WebAuthn on developers Google for Windows 10 with Windows Hello
Referrences
- ↑ 1.0 1.1 Dirk Balfanz + 19, Web Authentication: An API for accessing Public Key Credentials Level 2 W3C Working Draft, 2020-07-30 https://www.w3.org/TR/webauthn-2/#iface-pkcredential
Other Material
- See also wiki page Web Authentication
- See also wiki page WebAuthn 2
- See also wiki page WebAuthn 3
- See also wiki page Biometric Attribute
