decentralized-id.github.io/_posts/web-standards/w3c/working-groups/webauthn/2020-01-09-webauthn.md

56 lines
8.1 KiB
Markdown
Raw Normal View History

2020-01-09 18:15:17 -05:00
---
2020-11-09 01:55:17 -05:00
title: WebAuthN Working Group
2020-11-10 21:58:15 -05:00
categories: ["Web Standards"]
2020-11-28 10:22:07 -05:00
tags: ["W3C","WebAuthN", "Microsoft","FIDO"]
2020-11-27 16:17:41 -05:00
permalink: web-standards/w3c/wg/webauthn/
2020-11-09 02:14:37 -05:00
redirect_from:
2020-11-27 16:17:41 -05:00
- web-standards/w3c/webauthn/
2020-11-09 02:14:37 -05:00
- specs-standards/webauthn/
- web-standards/webauthn/
2020-11-09 01:55:17 -05:00
last_modified_at: 2020-11-09
2020-01-09 18:15:17 -05:00
---
2020-11-10 03:37:29 -05:00
**[Webpage](https://w3c.github.io/webauthn/) • [GitHub](https://github.com/w3c/webauthn) • [Blog](https://www.w3.org/blog/webauthn/)**
2020-11-09 01:55:17 -05:00
* [Charter](https://www.w3.org/2019/10/webauthn-wg-charter.html)
> The Web Authentication Working Group will develop recommendation-track specifications defining an API, as well as signature and attestation formats which provide an asymmetric cryptography-based foundation for authentication of users to Web Applications.
>
> Overall goals include obviating the use of shared secrets, i.e. passwords, as authentication credentials, facilitating multi-factor authentication support as well as hardware-based key storage while respecting the Same Origin Policy (SOP) by default and allowing for explicit, constrained SOP relaxation.
2020-01-09 18:15:17 -05:00
* [Why WebAuthn will change the world](https://techcommunity.microsoft.com/t5/identity-standards-blog/why-webauthn-will-change-the-world/ba-p/482286) - Pamela Dingle
> A little over a month ago, W3C WebAuthn became a real internet specification. Most of you dont know what WebAuthn is yet, but many of you will feel the impact in short order. In fact, I will go so far as to say that WebAuthn may change how we all authenticate to the resources we use every day.
>
> We live in a world where the best parts of our individual local hardware and software collection are rarely leveraged to make cloud security decisions. This is because there has never been a vendor-agnostic and privacy-preserving way for cloud resources to interact with individual hardware configurations in any generic way. Until now!
>
> With WebAuthn, any web entity can call a simple Javascript API and ask for a cryptographically secure credential. What happens next is pretty cool the worlds browsers have worked with the worlds operating system makers and the worlds hardware manufacturers, so that when a website asks for a credential, the browsers work with the underlying platform to securely locate compliant local hardware and talk to it!
2020-01-11 22:20:06 -05:00
* [W3C finalizes Web Authentication (WebAuthn) standard - ZDNet](https://www.zdnet.com/article/w3c-finalizes-web-authentication-webauthn-standard/)
2020-01-09 18:15:17 -05:00
> WebAuthn allows users to register and authenticate on websites or mobile apps using an "authenticator" instead of a password.
>
> The "authenticator" can be a hardware security key that the user has connected to his computer or a biometric ID that can be acquired from the PC or smartphone's sensors --such as fingerprints, face scans, iris scans, and others.
* [All about FIDO2, CTAP2 and WebAuthn](https://techcommunity.microsoft.com/t5/Identity-Standards-Blog/All-about-FIDO2-CTAP2-and-WebAuthn/ba-p/288910)
> This is a great week to be working in Identity Standards, as we at Microsoft celebrate the release of our first ever WebAuthn Relying Party. This one relying party enables standards-based passwordless authentication at Xbox, Skype, Outlook.com and more. But what are the actual pieces of the puzzle and how do they fit? Read on for the big picture of how the W3C WebAuthn and FIDO2 CTAP2 specifications interact. We will start with the industry standards perspective, and then at the end we will summarize how Microsoft implements the various roles.
>
> To understand how FIDO2 authenticators work, you need knowledge of two specifications in two different standards bodies. The WebAuthentication (aka WebAuthn) spec lives at W3C (where the browser makers meet) while the Client-to-Authenticator (aka CTAP2) spec lives at the FIDO Alliance (where hardware and platform folks have joined to solve the problem of Fast IDentity Online).
* [To Understand WebAuthn, Read CredMan](https://techcommunity.microsoft.com/t5/identity-standards-blog/to-understand-webauthn-read-credman/ba-p/339652)
> The holidays are well and truly over, time to get serious - now is the perfect time to read specifications! If you are planning to read the WebAuthn specification, you can ease into the terminology in a simple way - take a cruise through the W3C Credential Management (aka CredMan) specification first. CredMan sets up the object model for the Credential object model that WebAuthn's PublicKeyCredential extends. This post will be an overview of the CredMan spec, geared for folks who want to call the API as clients, not for those few and proud who are tasked with implementation of the API within a user agent.
* [GitHub supports Web Authentication (WebAuthn) for security keys](https://github.blog/2019-08-21-github-supports-webauthn-for-security-keys/)
> GitHub now supports Web Authentication (WebAuthn) for security keys—the new standard for secure authentication on the web. Starting today, you can use security keys for two-factor authentication on GitHub with even more browsers and devices. And, since many browsers are actively working on WebAuthn features, were excited about the potential for strong and easy-to-use authentication options for the entire GitHub community in the future.
<iframe src="https://slides.com/fidoalliance/webauthn-overview/embed" width="576" height="420" scrolling="no" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>
2020-11-10 03:37:29 -05:00
[Web Authentication: An API for accessing Public Key Credentials Level 1](https://www.w3.org/TR/webauthn/) • [WebAuthN-WG](https://www.w3.org/Webauthn/)
2020-01-09 18:15:17 -05:00
* [WebAuthn Awesome Awesome](https://github.com/herrjemand/awesome-webauthn) - A curated list of awesome WebAuthn/FIDO2 resources
* [webauthn - npmjs.com](https://www.npmjs.com/package/webauthn)
> WebAuthn is a W3C standard that enables web developers to replace passwords in their applications with FIDO authentication. This repository implements a NPM package for use in Node.js services. This package is in active development and not yet ready for production use. You can use it to kick the tires on WebAuthn. Please file issues to ask questions or provide feedback.
* [duo-labs/webauthn](https://github.com/duo-labs/webauthn) - WebAuthn (FIDO2) server library written in Go [webauthn.io](https://webauthn.io/)
> This library is meant to handle Web Authentication for Go apps that wish to implement a passwordless solution for users. While the specification is currently in Candidate Recommendation, this library conforms as much as possible to the guidelines and implementation procedures outlined by the document.
* [What is WebAuthn? What is FIDO2?](https://codelabs.developers.google.com/codelabs/webauthn-reauth/#0) - codelabs.developers.google.com
> The FIDO2 / WebAuthn allows you to create and use strong, attested public key based credentials for the purpose of authenticating users. The API supports the use of BLE, NFC, and USB roaming authenticators (security keys) as well as a platform authenticator, which allows the user to authenticate using their fingerprint or screenlock.
* [Enabling Strong Authentication with WebAuthn](https://developers.google.com/web/updates/2018/05/webauthn) - developers.google.com
> The Web Authentication API gives Web applications user-agent-mediated access to authenticators which are often hardware tokens accessed over USB/BLE/NFC or modules built directly into the platform for the purposes of generating and challenging application-scoped (eTLD+k) public-key credentials.
* [webauthn.me](https://webauthn.me) Crafted by Auth0
* [Web Authentication API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API)
* [FIDO2: WebAuthn & CTAP](https://fidoalliance.org/fido2/)
* [FIDO2: Web Authentication (WebAuthn)](https://fidoalliance.org/fido2/fido2-web-authentication-webauthn/)
> Web Authentication (WebAuthn), a core component of FIDO Alliances FIDO2 set of specifications, is a web-based API that allows websites to update their login pages to add FIDO-based authentication on supported browsers and platforms. FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.
* [webauthn.guide](https://webauthn.guide)