Difference between revisions of "Web Authentication Levels"

Latest revision as of 12:36, 9 November 2021

Full Title

The W3C Web Authentication standards started calling their first specification Level One knowing that extensions were coming.

Web Authentication Level 2^[1] enables the creation and use of strong, attested, scoped, public key cred by web applications for strongly authenticating users.

Context

• This is designed for web applications, not native applications.
• The current draft of the evolving standard is available here.

Glossary

• Authenticator protects public key credentials, and interact with user agents to implement the Web Authentication API. Implementing compliant authenticators is possible in software executing (a) on a general-purpose computing device, (b) on an on-device Secure Execution Environment, Trusted Platform Module (TPM), or a Secure Element (SE), or (c) off device. Authenticators being implemented on device are called platform authenticators. Authenticators being implemented off device (roaming authenticators) can be accessed over a transport method.

Normal Flow

Web Authentication API ^[1] Section 5

• Registration

1. Challenge, user info, RP info
2. RP ID, client data hash
3. User verification, new key pair

• Authentication

1. Challenge
2. RP ID, client data hash
3. User verification

Solutions

• Your First WebAuthn on developers Google for Windows 10 with Windows Hello

Referrences

1. ↑ ^{1.0 1.1} Dirk Balfanz + 19, Web Authentication: An API for accessing Public Key Credentials Level 2 W3C Working Draft, 2020-07-30 https://www.w3.org/TR/webauthn-2/#iface-pkcredential

Other Material

• See also wiki page Web Authentication
• See also wiki page WebAuthn 2
• See also wiki page WebAuthn 3
• See also wiki page Biometric Attribute