what features are supported? about webauthn HOT 6 OPEN

Most of the WebAuthn specification has been implemented, so both attestation and assertion should be working.

The only two TODOs in the code right now for missing parts of the spec are Token Binding (7.1, step 6), which doesn't seem to be supported by Chrome and checking sign counting (7.2, step 17). Unfortunately, I do not have an authenticator myself and used Krypton to test everything, which does not seem to support this part.

The other part of the spec that is missing is support for more Token Attestation Formats. Right now only FIDO U2F is supported, which does seem to be the most common. It is quite hard to test other formats without access to them, as that would probably require first replicating the signing procedure correctly.

I do have access to the Android SafetyNet format using Chrome Canary on Android, but unfortunately it doesn't set the User Present flag, which means it won't even get to format validation.

All other parts of the spec should be present. So, it can be used already because it does seem that the FIDO-U2F format is the most common format, implemented by most authenticators.

from webauthn.

is it possible to use a smartphone as authenticator (e.g. for fingerprint)?

from webauthn.

Yes, fingerprints are supported on the latest Chrome on both Android and iOS. I haven't tested other browsers.

It is also possible to use Krypton to use your mobile phone as an authenticator for your desktop.

from webauthn.

I don't want to force to install third party apps, my idea was to use webauthn + QR following whatsapp web model, but I guess it does not respect the standard, right?

from webauthn.

I don't think that's the intended purpose of WebAuthn, so I don't think it's supported.

from webauthn.

Update for completeness: it seems like TouchID is not supported using Chrome (see #9) nor Safari (the protocol announced is apple).

from webauthn.