Web Authentication Feature Detection

[agl]

I'm requesting a TAG review of:

• Name: Web Authentication Feature Detection
• Specification URL: Browser capability detection. w3c/webauthn#1219
• Primary contacts (and their relationship to the specification): @jafisher-microsoft, although commenting on the public pull request is probably best.

Further details:

• Relevant time constraints or deadlines: Web Authentication WG is likely to decide whether to land the PR in the coming weeks. It would then be in the pipeline for WebAuthn Level 2 Draft 2.
• I have reviewed the TAG's API Design Principles
• The group where the work on this specification is: Web Authentication

Background

The Web Authentication specification (“WebAuthn”) allows the use of security keys (a.k.a. “U2F” keys or “FIDO” keys) on the web. Different browsers have different levels of support for various features but, in level one, there was a single, ad-hoc feature-detection interface to signal whether a built-in user-verifying authenticator was configured. (E.g. Touch ID on some Macs.)

However, web sites wish to provide smarter experiences based on the features supported by a given browser, and grubbing around in the User-Agent header is unpleasant and fragile. Working along the lines of the relevant design principle, there is a proposal to add a more featureful detection interface in level two.

The WG is aware that feature-detection is a subject that has some history in web standards and are seeking input sooner rather than later.

The following is a personal perspective, but might still be helpful background:

The concerns here are not so much from a privacy perspective. For the single existing feature-detection call in level one, Chromium reasoned that the information exposed was little more than could be gathered from browser version and rough hardware device—information that web sites can generally obtain already. Likewise, with the proposed interface, the information does not seem to be more than a detailed database of User-Agent strings and a little probing with Javascript could figure out anyway. So the uncertainty in the WG is more around whether there are strong opinions in the web community about this topic in general that we should be aware of.

We'd prefer the TAG provide feedback as (please select one):

• open issues in our GitHub repo for each point of feedback
• open a single issue in our GitHub repo for the entire review. (Actually, feedback on the PR would keep things together.)
• leave review feedback as a comment in this issue and @-notify [github usernames]

[dbaron]

Is there an explainer somewhere? (The underlying use cases, plus some examples, seem particularly desirable.) It also seems like the answers to the questions in the security and privacy questionnaire would be useful here. (These are both things we generally request as part of a review and which are part of the issue template.)

[equalsJeffH]

@dbaron -

Is there an explainer somewhere?

There are use cases and developer scenarios in the WebAuthn spec:

https://www.w3.org/TR/webauthn/#use-cases && https://www.w3.org/TR/webauthn/#sample-scenarios

There are also various WebAuthn API articles, here's a couple:

https://webauthn.guide/#webauthn-api

https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API

[dbaron]

Those appear to cover the entirety of WebAuthn, not the particular issue the TAG is being asked to review here. Is there something covering just that?

Some questions that I might expect an explainer about the feature detection (in addition to what's in the Background section above) to answer might be:

• what led to the choice of the level of granularity chosen, and what alternatives were considered
• how the set of features exposed corresponds to the API surface (because separating the feature detection from the API surface is often undesirable)
• what the major points of disagreement about the design were (and the arguments for each)

[hadleybeeman]

Hi @agl and @jafisher-microsoft. We've come back to this in today's call, and are stuck here. If you're able to pick up the thread and help us out with an explainer for this specifically (Web Authn Feature Detection), a security and privacy questionnaire, and any example code, that would be great – we'd love to help! – but if you're able not right now, we're not sure what we can do to help. We'd suggest closing this and having you come back to us when you're ready.

What makes sense to you?

[torgo]

Hi @agl @jafischer-microsoft. Considering we haven't heard back after our last ping, we're going to close this one for now in order to help us manage our workload. Please feel free to ping us on this issue if you would like us to reopen.