firstDaisy Diff compare report.
Click on the changed parts for a detailed description. Use the left and right arrow keys to walk through the modifications.
last 

Jump to Table of Contents Pop Out Sidebar

W3C W3C

Web Authentication: An API for accessing Public Key Credentials - Level 1

W3C Working Draft, 11 August

This version:
https://www.w3.org/TR/2017/WD-webauthn-2017081120171205/
Latest published versionVersion:
https://www.w3.org/TR/webauthn/
Editor's Draft:
https://w3c.github.io/webauthn/
Previous Versionsversions:
Issue Tracking:
Github
Editors:
(Microsoft)
(PayPal)
(Google)
(Google)
(Google)
(PayPal)
(Microsoft)
(Nok Nok Labs)
(Mozilla)
Tests:
web-platform-tests webauthn/ (ongoing work)

Abstract

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given Relying Party, are created and stored on an authenticator by the user agent in conjunction with the web application. The user agent mediates access to public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to relying parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.

Status of this document

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.

This document was published by the Web Authentication Working Group as a Working Draft. This document is intended to become a W3C Recommendation. Feedback and comments on this specification are welcome. Please use Github issues. Discussions may also be found in the public-webauthn@w3.org archives.

Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document is governed by the 1 March 2017 W3C Process Document.

1. Introduction

This section is not normative.

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. A public key credential is created and stored by an authenticator at the behest of a Relying Party, subject to user consent. Subsequently, the public key credential can only be accessed by origins belonging to that Relying Party. This scoping is enforced jointly by conforming User Agents and authenticators. Additionally, privacy across Relying Parties is maintained; Relying Parties are not able to detect any properties, or even the existence, of credentials scoped to other Relying Parties.

Relying Parties employ the Web Authentication API during two distinct, but related, ceremonies involving a user. The first is Registration, where a public key credential is created on an authenticator, and associated by a Relying Party with the present user’s account (the account may already exist or may be created at this time). The second is Authentication, where the Relying Party is presented with an Authentication Assertion proving the presence and consent of the user who registered the public key credential. Functionally, the Web Authentication API comprises a PublicKeyCredential which extends the Credential Management API [CREDENTIAL-MANAGEMENT-1], and infrastructure which allows those credentials to be used with navigator.credentials.create() and navigator.credentials.get(). The former is used during Registration, and the latter during Authentication.

Broadly, compliant authenticators protect public key credentials, and interact with user agents to implement the Web Authentication API. Some authenticators may run on the same computing device (e.g., smart phone, tablet, desktop PC) as the user agent is running on. For instance, such an authenticator might consist of a Trusted Execution Environment (TEE) applet, a Trusted Platform Module (TPM), or a Secure Element (SE) integrated into the computing device in conjunction with some means for user verification, along with appropriate platform software to mediate access to these components' functionality. Other authenticators may operate autonomously from the computing device running the user agent, and be accessed over a transport such as Universal Serial Bus (USB), Bluetooth Low Energy (BLE) or Near Field Communications (NFC).

1.1. Use Cases

The below use case scenarios illustrate use of two very different types of authenticators, as well as outline further scenarios. Additional scenarios, including sample code, are given later in §11 §12 Sample scenarios.

1.1.1. Registration

1.1.2. Authentication

1.1.3. Other use cases and configurations

A variety of additional use cases and configurations are also possible, including (but not limited to):

2. Conformance

This specification defines criteria for a Conforming User Agent: three conformance classes. Each of these classes is specified so that conforming members of the class are secure against non-conforming or hostile members of the other classes.

2.1. User Agents

A User Agent MUST behave as described in this specification in by §5 Web Authentication API in order to be considered conformant. Conforming User Agents MAY implement algorithms given in this specification in any way desired, so long as the end result is indistinguishable from the result that would be obtained by the specification’s algorithms.

A conforming User Agent MUST also be a conforming implementation of the IDL fragments of this specification, as described in the “Web IDL” specification. [WebIDL-1]This specification also defines a model of a conformant authenticator (see §5 WebAuthn Authenticator model)

2.2. Authenticators

An authenticator MUST provide the operations defined by §6 WebAuthn Authenticator model, and those operations MUST behave as described there. This is a set of functional and security requirements for an authenticator to be usable by a Conforming User Agent.

As described in §1.1 Use Cases, an authenticator may be implemented in the operating system underlying the User Agent, or in external hardware, or a combination of both.

2.

1.

3. Relying Parties

A Relying Party MUST behave as described in §7 Relying Party Operations to get the security benefits offered by this specification.

3. Dependencies

This specification relies on several other underlying specifications, listed below and in Terms defined by reference.

Base64url encoding

The term Base64url Encoding refers to the base64 encoding using the URL- and filename-safe character set defined in Section 5 of [RFC4648], with all trailing '=' characters omitted (as permitted by Section 3.2) and without the inclusion of any line breaks, whitespace, or other additional characters.

CBOR

A number of structures in this specification, including attestation statements and extensions, are encoded using the Compact Binary Object Representation (CBOR) [RFC7049].

CDDL

This specification describes the syntax of all CBOR-encoded data using the CBOR Data Definition Language (CDDL) [CDDL].

COSE

CBOR Object Signing and Encryption (COSE) [RFC8152]. The IANA COSE Algorithms registry established by this specification is also used.

Credential Management

The API described in this document is an extension of the Credential concept defined in [CREDENTIAL-MANAGEMENT-1].

DOM

DOMException and the DOMException values used in this specification are defined in [DOM4].

ECMAScript

%ArrayBuffer% is defined in [ECMAScript].

HTML

The concepts of relevant settings object, origin, opaque origin, and is a registrable domain suffix of or is equal to are defined in [HTML52].

Web IDL

Many of the interface definitions and all of the IDL in this specification depend on [WebIDL-1]. This updated version of the Web IDL standard adds support for Promises, which are now the preferred mechanism for asynchronous interaction in all new web APIs.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

3

4. Terminology

Assertion

See Authentication Assertion.

Attestation

Generally, attestation is a statement serving to bear witness, confirm, or authenticate. In the WebAuthn context, attestation is employed to attest to the provenance of an authenticator and the data it emits; including, for example: credential IDs, credential key pairs, signature counters, etc. An attestation statement is conveyed in an attestation object during registration. See also §5§6.3 Attestation and Figure 3. Whether or how the client platform conveys the attestation statement and AAGUID portions of the attestation object to the Relying Party is described by attestation conveyance.

Attestation Certificate

A X.509 Certificate for the attestation key pair used by an authenticator to attest to its manufacture and capabilities. At registration time, the authenticator uses the attestation private key to sign the Relying Party-specific credential public key (and additional data) that it generates and returns via the authenticatorMakeCredential operation. Relying Parties use the attestation public key conveyed in the attestation certificate to verify the attestation signature. Note that in the case of self attestation, the authenticator has no distinct attestation key pair nor attestation certificate, see self attestation for details.

Authentication

The ceremony where a user, and the user’s computing device(s) (containing at least one authenticator) work in concert to cryptographically prove to an Relying Party that the user controls the credential private key associated with a previously-registered public key credential (see Registration). Note that this typically includes employing a test of user presence or user verification.

Authentication Assertion

The cryptographically signed AuthenticatorAssertionResponse object returned by an authenticator as the result of a authenticatorGetAssertion operation.

This corresponds to the [CREDENTIAL-MANAGEMENT-1] specification’s single-use credentials.

Authenticator

A cryptographic device entity used by a WebAuthn Client to (i) generate a public key credential and register it with a Relying Party, and (ii) subsequently used to cryptographically sign and return authenticate by potentially verifying the user, and then cryptographically signing and returning, in the form of an Authentication Assertion, a challenge and other data presented by a Relying Party (in concert with the WebAuthn Client) in order to effect authentication.

Authorization Gesture

An authorization gesture is a physical interaction performed by a user with an authenticator as part of a ceremony, such as registration or authentication. By making such an authorization gesture, a user provides consent for (i.e., authorizes) a ceremony to proceed. This may involve user verification if the employed authenticator is capable, or it may involve a simple test of user presence.

Biometric Recognition

The automated recognition of individuals based on their biological and behavioral characteristics [ISOBiometricVocabulary].

Ceremony

The concept of a ceremony [Ceremony] is an extension of the concept of a network protocol, with human nodes alongside computer nodes and with communication links that include user interface(s), human-to-human communication, and transfers of physical objects that carry data. What is out-of-band to a protocol is in-band to a ceremony. In this specification, Registration and Authentication are ceremonies, and an authorization gesture is often a component of those ceremonies.

Client

See Conforming User Agent.

Client-Side

This refers in general to the combination of the user’s platform device, user agent, authenticators, and everything gluing it all together.

Client-side-resident Credential Private Key

A Client-side-resident Credential Private Key is stored either on the client platform, or in some cases on the authenticator itself, e.g., in the case of a discrete first-factor roaming authenticator. Such client-side credential private key storage has the property that the authenticator is able to select the credential private key given only an RP ID, possibly with user assistance (e.g., by providing the user a pick list of credentials associated with the RP ID). By definition, the private key is always exclusively controlled by the Authenticator. In the case of a Client-side-resident Credential Private Key, the Authenticator might offload storage of wrapped key material to the client platform, but the client platform is not expected to offload the key storage to remote entities (e.g. RP Server).

Conforming User Agent

A user agent implementing, in conjunction with the underlying platform, the Web Authentication API and algorithms given in this specification, and handling communication between authenticators and Relying Parties.

Credential ID

A probabilistically-unique byte sequence identifying a public key credential source and its authentication assertions.

Credential IDs are generated by authenticators in two forms:

  1. At least 16 bytes that include at least 100 bits of entropy, or

  2. The public key credential source, without its Credential ID, encrypted so only its managing authenticator can decrypt it. This form allows the authenticator to be nearly stateless, by having the Relying Party store any necessary state.

    Note: [FIDO-UAF-AUTHNR-CMDS] includes guidance on encryption techniques under "Security Guidelines".

Relying Parties do not need to distinguish these two Credential ID forms.

Credential Public Key

The public key portion of an Relying Party-specific credential key pair, generated by an authenticator and returned to an Relying Party at registration time (see also public key credential). The private key portion of the credential key pair is known as the credential private key. Note that in the case of self attestation, the credential key pair is also used as the attestation key pair, see self attestation for details.

Public Key Credential Source

A credential source ([CREDENTIAL-MANAGEMENT-1]) used by an authenticator to generate authentication assertions. A public key credential source has:

The authenticatorMakeCredential operation creates a public key credential source bound to a managing authenticator and returns the credential public key associated with its credential private key. The Relying Party can use this credential public key to verify the authentication assertions created by this public key credential source.

Public Key Credential

Generically, a credential is data one entity presents to another in order to authenticate the former to the latter [RFC4949]. The term public key credential refers to one of: a public key credential source, the possibly-attested credential public key corresponding to a public key credential source, or an authentication assertion. Which one is generally determined by context.

Note: This is a willful violation of [RFC4949]. In English, a "credential" is both a) the thing presented to prove a statement and b) intended to be used multiple times. It’s impossible to achieve both criteria securely with a single piece of data in a public key system. [RFC4949] chooses to define a credential as the thing that can be used multiple times (the public key), while this specification gives "credential" the English term’s flexibility. This specification uses more specific terms to identify the data related to an [RFC4949] credential:
"Authentication information" (possibly including a private key)

Public key credential source

"Signed value"

Authentication assertion

[RFC4949] "credential"

Credential public key or attestation object

At registration time, the authenticator creates an asymmetric key pair, and stores its private key portion and information from the Relying Party into a public key credential source. The public key portion is returned to the Relying Party, who then stores it in conjunction with the present user’s account. Subsequently, only that Relying Party, as identified by its RP ID, is able to employ the public key credential in authentication ceremonies, via the get() method. The Relying Party uses its stored copy of the credential public key to verify the resultant authentication assertion.

Rate Limiting

The process (also known as throttling) by which an authenticator implements controls against brute force attacks by limiting the number of consecutive failed authentication attempts within a given period of time. If the limit is reached, the authenticator should impose a delay that increases exponentially with each successive attempt, or disable the current authentication modality and offer a different authentication factor if available. Rate limiting is often implemented as an aspect of user verification.

Registration

The ceremony where a user, a Relying Party, and the user’s computing device(s) (containing at least one authenticator) work in concert to create a public key credential and associate it with the user’s Relying Party account. Note that this typically includes employing a test of user presence or user verification.

Relying Party

The entity whose web application utilizes the Web Authentication API to register and authenticate users. See Registration and Authentication, respectively.

Note: While the term Relying Party is used in other contexts (e.g., X.509 and OAuth), an entity acting as a Relying Party in one context is not necessarily a Relying Party in other contexts.

Relying Party Identifier
RP ID

A valid domain string that identifies the Relying Party on whose behalf a given registration or authentication ceremony is being performed. A public key credential can only be used for authentication with the same entity (as identified by RP ID) it was registered with. By default, the RP ID for a WebAuthn operation is set to the caller’s origin's effective domain. This default MAY be overridden by the caller, as long as the caller-specified RP ID value is a registrable domain suffix of or is equal to the caller’s origin's effective domain. See also §4§5.1.3 Create a new credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) method and §4§5.1.4 Use an existing credential to make an assertion - PublicKeyCredential’s [[DiscoverFromExternalSourceGet]](options) method.

Note: A Public key credential's scope is for a Relying Party's origin, with the following restrictions and relaxations:

This is done in order to match the behavior of pervasively deployed ambient credentials (e.g., cookies, [RFC6265]). Please note that this is a greater relaxation of "same-origin" restrictions than what document.domain's setter provides.

Public Key Credential

Generically, a credential is data one entity presents to another in order to authenticate the former to the latter [RFC4949]. A WebAuthn public key credential is a { identifier, type } pair identifying authentication information established by the authenticator and the Relying Party, together, at registration time. The authentication information consists of an asymmetric key pair, where the public key portion is returned to the Relying Party, who then stores it in conjunction with the present user’s account. The authenticator maps the private key portion to the Relying Party's RP ID and stores it. Subsequently, only that Relying Party, as identified by its RP ID, is able to employ the public key credential in authentication ceremonies, via the get() method. The Relying Party uses its stored copy of the credential public key to verify the resultant authentication assertion.

Test of User Presence

A test of user presence is a simple form of authorization gesture and technical process where a user interacts with an authenticator by (typically) simply touching it (other modalities may also exist), yielding a boolean result. Note that this does not constitute user verification because a user presence test, by definition, is not capable of biometric recognition, nor does it involve the presentation of a shared secret such as a password or PIN.

User Consent

User consent means the user agrees with what they are being asked, i.e., it encompasses reading and understanding prompts. An authorization gesture is a ceremony component often employed to indicate user consent.

User Handle

The user handle is specified by a Relying Party and is a unique identifier for a user account with that Relying Party. A user handle is an opaque byte sequence with a maximum size of 64 bytes.

The user handle is not meant to be displayed to the user, but is used by the Relying Party to control the number of credentials - an authenticator will never contain more than one credential for a given Relying Party under the same user handle.

User Verification

The technical process by which an authenticator locally authorizes the invocation of the authenticatorMakeCredential and authenticatorGetAssertion operations. User verification may be instigated through various authorization gesture modalities; for example, through a touch plus pin code, password entry, or biometric recognition (e.g., presenting a fingerprint) [ISOBiometricVocabulary]. The intent is to be able to distinguish individual users. Note that invocation of the authenticatorMakeCredential and authenticatorGetAssertion operations implies use of key material managed by the authenticator. Note that for security, user verification and use of credential private keys must occur within a single logical security boundary defining the authenticator.

User Present
UP

Upon successful completion of a user presence test, the user is said to be "present".

User Verified
UV

Upon successful completion of a user verification process, the user is said to be "verified".

WebAuthn Client

Also referred to herein as simply a client. See also Conforming User Agent.

4

5. Web Authentication API

This section normatively specifies the API for creating and using public key credentials. The basic idea is that the credentials belong to the user and are managed by an authenticator, with which the Relying Party interacts through the client (consisting of the browser and underlying OS platform). Scripts can (with the user’s consent) request the browser to create a new credential for future use by the Relying Party. Scripts can also request the user’s permission to perform authentication operations with an existing credential. All such operations are performed in the authenticator and are mediated by the browser and/or platform on the user’s behalf. At no point does the script get access to the credentials themselves; it only gets information about the credentials in the form of objects.

In addition to the above script interface, the authenticator may implement (or come with client software that implements) a user interface for management. Such an interface may be used, for example, to reset the authenticator to a clean state or to inspect the current state of the authenticator. In other words, such an interface is similar to the user interfaces provided by browsers for managing user state such as history, saved passwords and cookies. Authenticator management actions such as credential deletion are considered to be the responsibility of such a user interface and are deliberately omitted from the API exposed to scripts.

The security properties of this API are provided by the client and the authenticator working together. The authenticator, which holds and manages credentials, ensures that all operations are scoped to a particular origin, and cannot be replayed against a different origin, by incorporating the origin in its responses. Specifically, as defined in §5§6.2 Authenticator operations, the full origin of the requester is included, and signed over, in the attestation object produced when a new credential is created as well as in all assertions produced by WebAuthn credentials.

Additionally, to maintain user privacy and prevent malicious Relying Parties from probing for the presence of public key credentials belonging to other Relying Parties, each credential is also associated with a Relying Party Identifier, or RP ID. This RP ID is provided by the client to the authenticator for all operations, and the authenticator ensures that credentials created by a Relying Party can only be used in operations requested by the same RP ID. Separating the origin from the RP ID in this way allows the API to be used in cases where a single Relying Party maintains multiple origins.

The client facilitates these security measures by providing the Relying Party's origin and RP ID to the authenticator for each operation. Since this is an integral part of the WebAuthn security model, user agents only expose this API to callers in secure contexts.

The Web Authentication API is defined by the union of the Web IDL fragments presented in the following sections. A combined IDL listing is given in the IDL Index.

4

5.1. PublicKeyCredential Interface

The PublicKeyCredential interface inherits from Credential [CREDENTIAL-MANAGEMENT-1], and contains the attributes that are returned to the caller when a new credential is created, or a new assertion is requested.

[SecureContext, Exposed=Window]
interface PublicKeyCredential : Credential {
    [SameObject] readonly attribute ArrayBuffer              rawId;
    [SameObject] readonly attribute AuthenticatorResponse    response;
    [SameObject] readonly attribute AuthenticationExtensions clientExtensionResultsgetClientExtensionResults();
};
id

This attribute is inherited from Credential, though PublicKeyCredential overrides Credential's getter, instead returning the base64url encoding of the data contained in the object’s [[identifier]] internal slot.

rawId

This attribute returns the ArrayBuffer contained in the [[identifier]] internal slot.

response, of type AuthenticatorResponse, readonly

This attribute contains the authenticator's response to the client’s request to either create a public key credential, or generate an authentication assertion. If the PublicKeyCredential is created in response to create(), this attribute’s value will be an AuthenticatorAttestationResponse, otherwise, the PublicKeyCredential was created in response to get(), and this attribute’s value will be an AuthenticatorAssertionResponse.

clientExtensionResults, of type AuthenticationExtensions, readonly
This attribute contains
getClientExtensionResults()

This operation returns the value of [[clientExtensionsResults]], which is a map containing extension identifierclient extension output entries produced by the extension’s client extension processing.

[[type]]

The PublicKeyCredential interface object's [[type]] internal slot's value is the string "public-key".

Note: This is reflected via the type attribute getter inherited from Credential.

[[discovery]]

The PublicKeyCredential interface object's [[discovery]] internal slot's value is "remote".

[[identifier]]

This internal slot contains an identifier for the credential, chosen by the platform with help from the authenticator. This identifier is used to look up credentials for use, and is therefore expected to be globally unique with high probability across all credentials of the same type, across all authenticators. This API does not constrain the format or length of this identifier, except that it must be sufficient for the platform to uniquely select a key. For example, an authenticator without on-board storage may create identifiers containing a credential private key wrapped with a symmetric key that is burned into the authenticator.

[[clientExtensionsResults]]

This internal slot contains the results of processing client extensions requested by the Relying Party upon the Relying Party's invocation of either navigator.credentials.create() or navigator.credentials.get().

PublicKeyCredential's interface object inherits Credential's implementation of [[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors), and defines its own implementation of [[StoreCreate]](credentialorigin, options, sameOriginWithAncestors), and defines its own implementation of [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors), and [[CreateStore]](optionscredential, sameOriginWithAncestors).

4

5.1.1. CredentialCreationOptions Extension

To support registration via navigator.credentials.create(), this document extends the CredentialCreationOptions dictionary as follows:

partial dictionary CredentialCreationOptions {
    MakePublicKeyCredentialOptions      publicKey;
};
4

5.1.2. CredentialRequestOptions Extension

To support obtaining assertions via navigator.credentials.get(), this document extends the CredentialRequestOptions dictionary as follows:

partial dictionary CredentialRequestOptions {
    PublicKeyCredentialRequestOptions      publicKey;
};
4

5.1.3. Create a new credential - PublicKeyCredential’s [[Create]](origin, options, sameOriginWithAncestors) method

Note: This algorithm is synchronous; the Promise resolution/rejection is handled by
PublicKeyCredential's interface object's implementation of the

[[Create]](origin, options, sameOriginWithAncestors) internal method [CREDENTIAL-MANAGEMENT-1] allows Relying Party scripts to call navigator.credentials.create() to request the creation of a new

credential key pair and PublicKeyCredential, managed by an authenticator. The user agent will prompt the user for consent. On success, the returned promise will be resolved with a PublicKeyCredential containing an AuthenticatorAttestationResponse object.

public key credential source, bound to an authenticator. This navigator.credentials.create() operation can be aborted by leveraging the AbortController; see DOM §3.3 Using AbortController and AbortSignal objects in APIs for detailed instructions.

This internal method accepts

a single argument:If any of the name member of options.rp, the name member of options.user, the displayName member of options.user, or the id member of options.user are not present, return a TypeError simple exception

three arguments:

origin

This argument is the relevant settings object's origin, as determined by the calling create() implementation.

options

This argument is a CredentialCreationOptions object whose options.publicKey member contains a MakePublicKeyCredentialOptions object specifying the desired attributes of the to-be-created public key credential.

sameOriginWithAncestors

This argument is a boolean which is true if and only if the caller’s environment settings object is same-origin with its ancestors.

Note: This algorithm is synchronous: the Promise resolution/rejection is handled by navigator.credentials.create().

When this method is invoked, the user agent MUST execute the following algorithm:

  1. Assert: options.publicKey is present.

  • Let options be the value of options.publicKey.

    1. If sameOriginWithAncestors is false, return a "NotAllowedError" DOMException.

      Note: This "sameOriginWithAncestors" restriction aims to address the concern raised in the Origin Confusion section of [CREDENTIAL-MANAGEMENT-1], while allowing Relying Party script access to Web Authentication functionality, e.g., when running in a secure context framed document that is same-origin with its ancestors. However, in the future, this specification (in conjunction with [CREDENTIAL-MANAGEMENT-1]) may provide Relying Parties with more fine-grained control--e.g., ranging from allowing only top-level access to Web Authentication functionality, to allowing cross-origin embedded cases--by leveraging [Feature-Policy] once the latter specification becomes stably implemented in user agents.

    2. Let options be the value of options.publicKey.

    3. If the timeout member of options is present, check if its value lies within a reasonable range as defined by the platform and if not, correct it to the closest value lying within that range. Set

    adjustedTimeout
    1. a timer lifetimeTimer to this adjusted value. If the timeout member of options is not present, then set

    adjustedTimeout Let
    1. lifetimeTimer to a platform-specific default.

    2. Let

    global be the PublicKeyCredential's interface object's environment settings object’s global object.
    1. callerOrigin be

    the
    1. origin

    specified by this PublicKeyCredential interface object's relevant settings object
    1. . If callerOrigin is an opaque origin, return a DOMException whose name is "NotAllowedError", and terminate this algorithm.

    2. Let effectiveDomain be the callerOrigin’s effective domain. If effective domain is not a valid domain, then return a DOMException whose name is "SecurityError" and terminate this algorithm.

      Note: An effective domain may resolve to a host, which can be represented in various manners, such as domain, ipv4 address, ipv6 address, opaque host, or empty host. Only the domain format of host is allowed here.

  • Let rpId be effectiveDomain.

    1. If options.rp.id

    is
    1. Is present
    :
    1. If options.rp.id is not a registrable domain suffix of and is not equal to effectiveDomain, return a DOMException whose name is "SecurityError", and terminate this algorithm.

      Is not present

      Set

    rpId to
    1. options.rp.id to effectiveDomain.

      Note:

    rpId
    1. options.rp.id represents the caller’s RP ID. The RP ID defaults to being the caller’s origin's effective domain unless the caller has explicitly set options.rp.id when calling create().

    2. Let credTypesAndPubKeyAlgs be a new list whose items are pairs of PublicKeyCredentialType and a COSEAlgorithmIdentifier.

    3. For each current of options.pubKeyCredParams:

      1. If current.type does not contain a PublicKeyCredentialType supported by this implementation, then continue.

      2. Let alg be current.alg.

      3. Append the pair of current.type and alg to credTypesAndPubKeyAlgs.

    4. If credTypesAndPubKeyAlgs is empty and options.pubKeyCredParams is not empty,

    cancel the timer started in step 2, Let selectedAuthenticators
    1. return a DOMException whose name is "NotSupportedError", and terminate this algorithm.

    2. Let clientExtensions be a new map and let authenticatorExtensions be a new map.

    3. If the extensions member of options is present, then for each extensionIdclientExtensionInput of options.extensions:

      1. If extensionId is not supported by this client platform or is not a registration extension, then continue.

      2. Set clientExtensions[extensionId] to clientExtensionInput.

      3. If extensionId is not an authenticator extension, then continue.

      4. Let authenticatorExtensionInput be the (CBOR) result of running extensionId’s client extension processing algorithm on clientExtensionInput. If the algorithm returned an error, continue.

      5. Set authenticatorExtensions[extensionId] to the base64url encoding of authenticatorExtensionInput.

    4. Let collectedClientData be a new CollectedClientData instance whose fields are:

      type

      The string "webauthn.create".

      challenge

      The base64url encoding of options.challenge.

      origin

      The serialization of callerOrigin.

      hashAlgorithm

      The recognized algorithm name of the hash algorithm selected by the client for generating the hash of the serialized client data.

      tokenBindingId

      The Token Binding ID associated with callerOrigin, if one is available.

      clientExtensions

      clientExtensions

      authenticatorExtensions

      authenticatorExtensions

    5. Let clientDataJSON be the JSON-serialized client data constructed from collectedClientData.

    6. Let clientDataHash be the hash of the serialized client data represented by clientDataJSON.

  • Let currentlyAvailableAuthenticators be a new ordered set consisting of all authenticators currently available on this platform.

    1. If the options.signal is present and its aborted flag is set to true, return a DOMException whose name is "AbortError" and terminate this algorithm.

    2. Start lifetimeTimer.

    3. Let issuedRequests be a new ordered set.

    If currentlyAvailableAuthenticators is empty, return a DOMException whose name is "NotFoundError", and terminate this algorithm
    1. For each authenticator that becomes available on this platform during the lifetime of lifetimeTimer, do the following:

      The definitions of "lifetime of" and "becomes available" are intended to represent how devices are hotplugged into (USB) or discovered by (NFC) browsers, and are under-specified. Resolving this with good definitions or some other means will be addressed by resolving Issue #613.

      1. If options.authenticatorSelection is present

    , iterate through currentlyAvailableAuthenticators and do the following for each authenticator
      1. :

        1. If

    aa
        1. options.authenticatorSelection.authenticatorAttachment is present and its value is not equal to authenticator’s attachment modality, continue.

        2. If

    rk
        1. options.authenticatorSelection.requireResidentKey is set to true and the authenticator is not capable of storing a Client-Side-Resident Credential Private Key, continue.

        2. If

    uv
        1. options.authenticatorSelection.userVerification is set to

    true
        1. required and the authenticator is not capable of performing user verification, continue.

  • Append authenticator to selectedAuthenticators.

  • If selectedAuthenticators is empty, return a DOMException whose name is "ConstraintError", and terminate this algoritm.

  • Let issuedRequests be a new ordered set.

  • For each authenticator in currentlyAvailableAuthenticators:

      1. Let userVerification be the effective user verification requirement for credential creation, a Boolean value, as follows. If options.authenticatorSelection.userVerification

        is set to required

        Let userVerification be true.

        is set to preferred

        If the authenticator

        is capable of user verification

        Let userVerification be true.

        is not capable of user verification

        Let userVerification be false.

        is set to discouraged

        Let userVerification be false.

      2. Let userPresence be a Boolean value set to the inverse of userVerification.

      3. Let excludeCredentialDescriptorList be a new list.

      4. For each credential descriptor C in options.excludeCredentials:

        1. If C.transports is not empty, and authenticator is connected over a transport not mentioned in C.transports, the client MAY continue.

        2. Otherwise, Append C to excludeCredentialDescriptorList.

    In parallel, invoke
      1. Invoke the authenticatorMakeCredential operation on authenticator with

    rpId,
      1. clientDataHash, options.rp, options.user, options.authenticatorSelection.

    rk
      1. requireResidentKey, userPresence, userVerification, credTypesAndPubKeyAlgs, excludeCredentialDescriptorList, and authenticatorExtensions as parameters.

      2. Append authenticator to issuedRequests.

  • Start a timer for adjustedTimeout milliseconds. Then execute the following steps in parallel. The task source for these tasks is the dom manipulation task source.

    1. While issuedRequests is not empty, perform the following actions depending upon

    the adjustedTimeout timer
    1. lifetimeTimer and responses from the authenticators:

      If
    the adjustedTimeout timer
    1. lifetimeTimer expires,

      For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests.

      If the options.signal is present and its aborted flag is set to true,

      For each authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove authenticator from issuedRequests. Then return a DOMException whose name is "AbortError" and terminate this algorithm.

      If any authenticator returns a status indicating that the user cancelled the operation,
      1. Remove authenticator from issuedRequests.

      2. For each remaining authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove it from issuedRequests.

      If any authenticator returns an error status,

      Remove authenticator from issuedRequests.

      If any authenticator indicates success,
      1. Remove authenticator from issuedRequests.

      2. Let

    attestationObject be a new ArrayBuffer, created using global’s %ArrayBuffer%, containing the bytes of the value
      1. credentialCreationData be a struct whose items are:

        attestationObjectResult

        whose value is the bytes returned from the successful authenticatorMakeCredential operation

    (which
      1. .

        Note: this value is attObj, as defined in

    §5
      1. §6.3.4 Generating an Attestation Object

    ).
  • Let id be attestationObject.authData.attestation data.credential ID (see §5.3.1 Attestation data and §5.1 Authenticator data).

  • Let value be
      1. .

        clientDataJSONResult

        whose value is the bytes of clientDataJSON.

        attestationConveyancePreferenceOption

        whose value is the value of options.attestation.

        clientExtensionResults

        whose value is an AuthenticationExtensions object containing extension identifierclient extension output entries. The entries are created by running each extension’s client extension processing algorithm to create the client extension outputs, for each client extension in clientDataJSON.clientExtensions.

      2. Let constructCredentialAlg be an algorithm that takes a global object global, and whose steps are:

        1. Let attestationObject be a new ArrayBuffer, created using global’s %ArrayBuffer%, containing the bytes of credentialCreationData.attestationObjectResult’s value.

        2. If credentialCreationData.attestationConveyancePreferenceOption’s value is

          "none"

          Replace potentially uniquely identifying information (such as AAGUID and attestation certificates) in the attested credential data and attestation statement, respectively, with blinded versions of the same data.

          need to define "blinding". See also #462. <https://github.com/w3c/webauthn/issues/694>

          "indirect"
          The client MAY replace the AAGUID and attestation statement with a more privacy-friendly and/or more easily verifiable version of the same data (for example, by employing a Privacy CA).
          "direct"

          Convey the authenticator's AAGUID and attestation statement, unaltered, to the RP.

          @balfanz wishes to add to the "direct" case: If the authenticator violates the privacy requirements of the attestation type it is using, the client SHOULD terminate this algorithm with a "AttestationNotPrivateError".
        3. Let id be attestationObject.authData.attestedCredentialData.credentialId.

        4. Let pubKeyCred be a new PublicKeyCredential object associated with global whose fields are:

          [[identifier]]

          id

          response

          A new AuthenticatorAttestationResponse object associated with global whose fields are:

          clientDataJSON

          A new ArrayBuffer, created using global’s %ArrayBuffer%, containing the bytes of

    clientDataJSON
        1. credentialCreationData.clientDataJSONResult.

          attestationObject

          attestationObject

    clientExtensionResults
        1. [[clientExtensionsResults]]

          A new

    AuthenticationExtensions object containing the extension identifierclient extension output entries created by running each extension’s client extension processing algorithm to create the client extension outputs, for each client extension in clientDataJSON.clientExtensions.
        1. ArrayBuffer, created using global’s %ArrayBuffer%, containing the bytes of credentialCreationData.clientExtensionResults.

        2. Return pubKeyCred.

      1. For each remaining authenticator in issuedRequests invoke the authenticatorCancel operation on authenticator and remove it from issuedRequests.

      2. Return

    value
      1. constructCredentialAlg and terminate this algorithm.

    1. Return a DOMException whose name is "NotAllowedError".

    During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and authorizing an authenticator.

    4

    5.1.4. Use an existing credential to make an assertion - PublicKeyCredential’s [[

    DiscoverFromExternalSource

    Get]](options) method

    The [[DiscoverFromExternalSource]](options) method is used

    Relying Parties call navigator.credentials.get({publicKey:..., ...}) to discover and use an existing public key credential, with the user’s consent.

    The

    Relying Party script optionally specifies some criteria to indicate what

    credentials

    credential sources are acceptable to it. The user agent and/or platform locates

    credentials

    credential sources matching the specified criteria, and guides the user to pick one that the script will be allowed to use. The user may choose

    not to provide

    to decline the entire interaction even if a credential

    even if one

    source is present, for example to maintain privacy.

    Note: This algorithm is synchronous; the Promise resolution/rejection is handled by navigator.credentials.get().

    This method accepts a single argument:

    If the user picks a credential source, the user agent then uses §6.2.2 The authenticatorGetAssertion operation to sign a Relying Party-provided challenge and other collected data into an assertion, which is used as a credential.

    The get() implementation [CREDENTIAL-MANAGEMENT-1] calls PublicKeyCredential.[[CollectFromCredentialStore]]() to collect any credentials that should be available without user mediation (roughly, this specification’s authorization gesture), and if it does not find exactly one of those, it then calls PublicKeyCredential.[[DiscoverFromExternalSource]]() to have the user select a credential source.

    Since this specification requires an authorization gesture to create any credentials, the PublicKeyCredential.[[CollectFromCredentialStore]](origin, options, sameOriginWithAncestors) internal method inherits the default behavior of Credential.[[CollectFromCredentialStore]](), of returning an empty set.

    5.1.4.1. PublicKeyCredential’s [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) method

    This internal method accepts three arguments:

    origin

    This argument is the relevant settings object's origin, as determined by the calling get() implementation, i.e., CredentialsContainer's Request a Credential abstract operation.

    options

    This argument is a CredentialRequestOptions object whose options.publicKey member contains a

    challenge and additional options as described in §4.5 Options for Assertion Generation (dictionary PublicKeyCredentialRequestOptions). The selected authenticator signs the challenge along with other collected data in order to produce an assertion. See §5.2.2 The authenticatorGetAssertion operation

    PublicKeyCredentialRequestOptions object specifying the desired attributes of the public key credential to discover.

    sameOriginWithAncestors

    This argument is a boolean which is true if and only if the caller’s environment settings object is same-origin with its ancestors.

    Note: This algorithm is synchronous: the Promise resolution/rejection is handled by navigator.credentials.get().

    When this method is invoked, the user agent MUST execute the following algorithm:

    1. Assert: options.publicKey is present.

    2. If sameOriginWithAncestors is false, return a "NotAllowedError" DOMException.

      Note: This "sameOriginWithAncestors" restriction aims to address the concern raised in the Origin Confusion section of [CREDENTIAL-MANAGEMENT-1], while allowing Relying Party script access to Web Authentication functionality, e.g., when running in a secure context framed document that is same-origin with its ancestors. However, in the future, this specification (in conjunction with [CREDENTIAL-MANAGEMENT-1]) may provide Relying Parties with more fine-grained control--e.g., ranging from allowing only top-level access to Web Authentication functionality, to allowing cross-origin embedded cases--by leveraging [Feature-Policy] once the latter specification becomes stably implemented in user agents.

    3. Let options be the value of options.publicKey.

    4. If the timeout member of options is present, check if its value lies within a reasonable range as defined by the platform and if not, correct it to the closest value lying within that range. Set

    adjustedTimeout
    1. a timer lifetimeTimer to this adjusted value. If the timeout member of options is not present, then set

    adjustedTimeout Let
    1. lifetimeTimer to a platform-specific default.

    2. Let

    global be the PublicKeyCredential's interface object's environment settings object’s global object.
    1. callerOrigin be

    the
    1. origin

    specified by this PublicKeyCredential interface object's relevant settings objectIf there are no authenticators currently available on this platform
    1. . If callerOrigin is an opaque origin, return a DOMException whose name is "NotAllowedError", and terminate this algorithm.

    2. Let effectiveDomain be the callerOrigin’s effective domain. If effective domain is not a valid domain, then return a DOMException whose name is "SecurityError" and terminate this algorithm.

      Note: An effective domain may resolve to a host, which can be represented in various manners, such as domain, ipv4 address, ipv6 address, opaque host, or empty host. Only the domain format of host is allowed here.

    3. If options.rpId is not present, then set rpId to effectiveDomain.

      Otherwise:

      1. If options.rpId is not a registrable domain suffix of and is not equal to effectiveDomain, return a DOMException whose name is "SecurityError", and terminate this algorithm.

      2. Set rpId to options.rpId.

        Note: rpId represents the caller’s RP ID. The RP ID defaults to being the caller’s origin's effective domain unless the caller has explicitly set options.rpId when calling get().

    4. Let clientExtensions be a new map and let authenticatorExtensions be a new map.

    5. If the extensions member of options is present, then for each extensionIdclientExtensionInput of options.extensions:

      1. If extensionId is not supported by this client platform or is not an authentication extension, then continue.

      2. Set clientExtensions[extensionId] to clientExtensionInput.

      3. If extensionId is not an authenticator extension, then continue.

      4. Let authenticatorExtensionInput be the (CBOR) result of running extensionId’s client extension processing algorithm on clientExtensionInput. If the algorithm returned an error, continue.

      5. Set authenticatorExtensions[extensionId] to the base64url encoding of authenticatorExtensionInput.

    6. Let collectedClientData be a new CollectedClientData instance whose fields are:

      type

      The string "webauthn.get".

      challenge<