Comments (6)
timcappalli
commented on July 28, 2024
1
I'd also add that just because an authenticator implementation is not currently using an attestation format, does not mean it is deprecated and it could be used in the future.
from webauthn.
emlun
commented on July 28, 2024
fido-u2f attestation is not deprecated, it will always continue to be used by U2F security keys from before the release of FIDO2. The deprecation of the U2F JavaScript API has no effect on this; these security keys still remain compatible with the WebAuthn API (though not all features, like User Verification and discoverable keys).
I don't know about the other formats, though.
from webauthn.
vanbukin
commented on July 28, 2024
@emlun Yes, you are correct about fido-u2f. I apologize if it was misleading. However, as far as I understand, for fido-u2f there will be no userHandle, which is mandatory for the usernameless sign-in scenario (If the user was not identified before the authentication ceremony was initiated). Perhaps this point is worth mentioning.
from webauthn.
emlun
commented on July 28, 2024
This is mentioned in ยง2.2.1. Backwards Compatibility with FIDO U2F, and implied by the description of PublicKeyCredential.response.userHandle:
[...] The authenticator MUST always return a user handle if the allowCredentials option used in the authentication ceremony is empty, and MAY return one otherwise.
Since U2F authenticators must always be used with non-empty allowCredentials, this implies that they always MAY (and in fact always do) return userHandle: null.
from webauthn.
vanbukin
commented on July 28, 2024
Apologies, for fido-u2f there indeed are instructions about the nuances of its operation. Thank you for the clarification. And what about apple and android-safetynet? Is it suitable to mention deprecation for them?
from webauthn.
emlun
commented on July 28, 2024
2023-10-25 WG call: Apple reports they are not comfortable with calling apple attestation deprecated at this time. Google confirms that SafetyNet attestation is deprecated, but judging by the deprecation timeline, SafetyNet attestation will still be supported in some form until January 2025. The WG feels we should not make any change to the spec so long as the attestation format is being produced by authenticators. We hope to release L3 of the spec well before January 2025 (the WG charter ends in April 2024), so we will not make any change for this in L3.
from webauthn.
Related Issues (20)
- Support for WebDriver BiDi HOT 2
- supplementalPubKeys attestation incompatible with most verification procedures
- Does WebAuthn supports User-Verifying Roaming Authenticators HOT 4
- How does First-factor roaming authenticator registration happens with RP (involving client) HOT 2
- CredentialCreationOptions/mediation not yet defined in CredMan HOT 1
- Authenticator Attestation Response's [[transports]] should be an attribute rather than an internal slot. HOT 4
- Align the order of fields in PublicKeyCredentialDescriptorJSON with PublicKeyCredentialDescriptor HOT 2
- Dictionary members should be ordered lexicographically per Web IDL Standard HOT 3
- Allow conditional mediation flow without username or password field, I.E. from button press HOT 4
- Add support for hinting at verbiage other than "sign in" during authentication HOT 5
- Add support for IDNs and display domain names in Unicode for a more user friendly UX HOT 4
- Add examples for PRF extension HOT 3
- Passkey - Disable authentication with another device HOT 3
- Proposal for password-only authentication using ES256 HOT 10
- [[Create]] should not access the global object directly HOT 1
- Define `TypeError` behavior during `.get()` HOT 2
- Return more nuanced errors HOT 3
- Does Related Origins introduce a need for "Related RP IDs" support in `.get()`? HOT 1
- UTF-8 decode should not be required for response.clientDataJSON and cData HOT 2
- CollectedClientData fields are not ordered correctly and crossOrigin should be required
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn.