Web Authentication Feature Detection #383
Labels
Missing: example code
Missing: explainer
Missing: security & privacy review
Progress: pending editor update
TAG is waiting for a spec/explainer update
Resolution: timed out
The TAG has requesed additional information but has not received it
Topic: authentication
Topic: security features
Milestone
I'm requesting a TAG review of:
Further details:
Background
The Web Authentication specification (“WebAuthn”) allows the use of security keys (a.k.a. “U2F” keys or “FIDO” keys) on the web. Different browsers have different levels of support for various features but, in level one, there was a single, ad-hoc feature-detection interface to signal whether a built-in user-verifying authenticator was configured. (E.g. Touch ID on some Macs.)
However, web sites wish to provide smarter experiences based on the features supported by a given browser, and grubbing around in the User-Agent header is unpleasant and fragile. Working along the lines of the relevant design principle, there is a proposal to add a more featureful detection interface in level two.
The WG is aware that feature-detection is a subject that has some history in web standards and are seeking input sooner rather than later.
The following is a personal perspective, but might still be helpful background:
The concerns here are not so much from a privacy perspective. For the single existing feature-detection call in level one, Chromium reasoned that the information exposed was little more than could be gathered from browser version and rough hardware device—information that web sites can generally obtain already. Likewise, with the proposed interface, the information does not seem to be more than a detailed database of User-Agent strings and a little probing with Javascript could figure out anyway. So the uncertainty in the WG is more around whether there are strong opinions in the web community about this topic in general that we should be aware of.
We'd prefer the TAG provide feedback as (please select one):
The text was updated successfully, but these errors were encountered: