WebAuthn (101) An Introduction to the Specification

From IIW

WebAuthn: An Introduction to the Specification (101 Session)


Tuesday 1C


Convener: Nick Steele

Notes-taker(s): Jordan Wright


Tags for the session - technology discussed/ideas considered:


authentication, passwordless


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


We covered the core principles of the protocol, how requests and responses are handled, and how WebAuthn authenticators can be different types of devices, FIDO-specific or otherwise. 


We also talked about how FIDO2 is not only WebAuthn, but includes CTAP2, the Client to Authenticator Protocol, which is not necessary to accomplish Web Authentication, and how WebAuthn prevents phishability by scoping  credentials to a Relying Party.


Additionally, we discussed how WebAuthn can be used in Federal agencies, how we can attach additional identifying information, and what resources can help with implementation of the standard.


Helpful sites included


webauthn.io

webauthn.guide

webauthn.org

webauthn.me

webauthn.bin.coffee

IIW28 TU 1C WebAuthn-Intro to Specification.jpg