Design Review #1085

#1085: [wg/webauthn] Web Authentication Level 3

Visit on Github.

Opened

Apr 29, 2025

こんにちは TAG-さん!

I'm requesting a TAG review of Web Authentication (WebAuthn) Level 3.

L3 contains many features. I've created a table with all of the required information.

General / common information:

Specification: https://w3c.github.io/webauthn/
GitHub repo: https://github.com/w3c/webauthn
Primary contacts:
- Tim Cappalli (@timcappalli), Okta, Editor
- Emil Lundberg (@emlun), Yubico, Editor
- Matthew Miller (@MasterKale), Cisco, Editor
- Tony Nadalin (@nadalin), Independent, Chair
- Simone Onofri (@simoneonofri), W3C

FEATURE NAME	EXPLAINER	SPEC LINK	EXISTING TAG REVIEWS	WPT TESTS	MULTI-STAKEHOLDER	ENGINE ISSUES	OTHER LINKS
Related Origin Requests	https://github.com/w3c/webauthn/wiki/Explainer:-Related-origin-requests	https://www.w3.org/TR/webauthn-3/#sctn-related-origins	-	n/a	https://developer.apple.com/documentation/safari-release-notes/safari-18-release-notes	https://chromestatus.com/feature/4635336177352704	https://github.com/w3c/webauthn/wiki/Security-&-Privacy-Self%E2%80%90Review:-Related-Origin-Requests
Conditional Create	https://github.com/w3c/webauthn/wiki/Explainer:-Conditional-Create	https://www.w3.org/TR/webauthn-3/#sctn-createCredential	-	https://wpt.fyi/results/webauthn/conditional-mediation.https.html	https://developer.apple.com/documentation/safari-release-notes/safari-18-release-notes	https://chromestatus.com/feature/5135710007590912
Conditional Get	https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Conditional-UI	https://www.w3.org/TR/webauthn-3/#sctn-discover-from-external-source	https://github.com/w3ctag/design-reviews/issues/692	https://wpt.fyi/results/webauthn/conditional-mediation.https.html	https://github.com/mozilla/standards-positions/issues/692	https://chromestatus.com/feature/5026422640869376	https://github.com/w3c/webappsec-credential-management/wiki/Conditional-mediation-TAG-security-&-privacy-questionnaire
JSON (De)serialization methods	https://github.com/w3c/webauthn/wiki/Explainer:-JSON-Serialization-Methods	https://www.w3.org/TR/webauthn-3/#sctn-parseCreationOptionsFromJSON https://www.w3.org/TR/webauthn-3/#sctn-parseRequestOptionsFromJSON https://www.w3.org/TR/webauthn-3/#typedefdef-publickeycredentialjson	-	https://wpt.fyi/results/webauthn/public-key-credential-request-options-from-json.https.window.html https://wpt.fyi/results/webauthn/public-key-credential-creation-options-from-json.https.window.html https://wpt.fyi/results/webauthn/public-key-credential-to-json.https.window.html	https://github.com/WebKit/standards-positions/issues/373	https://bugs.chromium.org/p/chromium/issues/detail?id=1401128 https://bugzilla.mozilla.org/show_bug.cgi?id=1823782 https://bugs.webkit.org/show_bug.cgi?id=256856	n/a
Create in cross-origin iframe	https://github.com/w3c/webauthn/wiki/Explainer:-Cross%E2%80%90Origin-Credential-Creation	https://www.w3.org/TR/webauthn-3/#sctn-iframe-guidance	-	https://wpt.fyi/results/webauthn/createcredential-cross-origin-iframe.https.sub.html?label=experimental&label=master&aligned	https://github.com/mozilla/standards-positions/issues/964	https://chromestatus.com/feature/5736091539734528
Signal API	https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Signal-API-explainer	https://www.w3.org/TR/webauthn-3/#sctn-signal-methods	https://github.com/w3ctag/design-reviews/issues/996	https://wpt.fyi/results/webauthn/signal-all-accepted-credentials.https.html https://wpt.fyi/results/webauthn/signal-current-user-details.https.html https://wpt.fyi/results/webauthn/signal-unknown-credential.https.html	https://webkit.org/standards-positions/#position-400 https://github.com/mozilla/standards-positions/issues/1075	https://chromestatus.com/feature/5101778518147072	https://github.com/w3c/webauthn/wiki/Security-&-privacy-self-review:-PublicKeyCredential-signal-methods
Get Client Capabilities	https://github.com/w3c/webauthn/wiki/Explainer:-Get-Client-Capabilities	https://www.w3.org/TR/webauthn-3/#sctn-getClientCapabilities	-	https://wpt.fyi/results/webauthn/getclientcapabilities.https.html	https://developer.apple.com/documentation/safari-release-notes/safari-17_4-release-notes#WebAuthn	https://chromestatus.com/feature/5128205875544064
PRF Extension	https://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension	https://www.w3.org/TR/webauthn-3/#prf-extension	https://github.com/w3ctag/design-reviews/issues/806	https://wpt.fyi/results/webauthn/getcredential-prf.https.html https://wpt.fyi/results/webauthn/createcredential-prf.https.html	https://github.com/mozilla/standards-positions/issues/798	https://chromestatus.com/feature/5138422207348736	https://github.com/w3ctag/design-reviews/issues/806
Client Hints	https://github.com/w3c/webauthn/wiki/Explainer:-Client-Hints	https://www.w3.org/TR/webauthn-3/#enum-hints	-	https://wpt.fyi/results/webauthn/createcredential-hints.https.html		https://chromestatus.com/feature/5145737733341184	https://github.com/w3c/webauthn/wiki/Security-&-Privacy-Self%E2%80%90Review:-Client-Hints

Further details:

I have reviewed the TAG's Web Platform Design Principles

WebAuthn WG tracking issue: https://github.com/w3c/webauthn/issues/2247

Discussions