*Contact emails* nsatra...@chromium.org, identity-...@chromium.org *Explainer* https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Large-Blob-Extension
*Specification* https://www.w3.org/TR/webauthn-2/#sctn-large-blob-extension *Summary* The WebAuthn large blob extension allows relying parties to store opaque data associated with a credential. This is useful for authentication schemes involving storing certificates on authenticators. *Blink component* Blink>WebAuthentication *Search tags* webauthn, large blob, blobs *TAG review* https://github.com/w3ctag/design-reviews/issues/820 *TAG review status* Pending *Risks* *Interoperability and Compatibility* Low. This feature has long been part of the WebAuthn L2 recommended standard <https://www.w3.org/TR/webauthn-2/#sctn-large-blob-extension>. It is supported by production CTAP 2.1 security keys as well as recent enough versions of the Windows WebAuthn API. Gecko: No signal (https://github.com/mozilla/standards-positions/issues/750) WebKit: No signal (https://github.com/WebKit/standards-positions/issues/139) Web developers: Positive. We had a few developers reach out about availability, e.g. crbug.com/1282491. Other signals: Microsoft has shipped the OS-level large blob API, see https://github.com/microsoft/webauthn/blob/master/webauthn.h *Ergonomics* WebAuthn is already an asynchronous API with a "long" time to get a response (in the order of seconds) since it needs user interaction. Adding this feature will not impact the "normal" webauthn flow. For relying parties (i.e. websites) using it, it won't significantly affect performance. *Activation* This feature can't be polyfilled since it relies on hardware support. Large blob is a fairly simple feature, only exposing a way to query for support, write, and read blobs. Integration with existing frameworks exercising webauthn should be straightforward. *Security* The implementation requires compressing and uncompressing arbitrary data. This is done in the data decoder service <https://source.chromium.org/chromium/chromium/src/+/master:services/data_decoder/gzipper.h>, which runs in a sandboxed process. This implementation feature was security-reviewed <https://chromium-review.googlesource.com/c/chromium/src/+/2464011>. *WebView application risks* None. *Debuggability* Developers can use the devtools webauthn tab <https://developers.google.com/web/tools/chrome-devtools/webauthn> to debug this feature. Support can be toggled on or off to simulate authenticator capabilities. *Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?* No. This feature will be supported on Mac, Linux, Windows (< 10 19h1; >= 11), & Chrome OS. Windows >= 10 19h1 relies on a high-level API. Support on that high level API landed on Windows 11. Similarly, the android webauthn implementation relies on a higher level API that does not support this feature. *Is this feature fully tested by web-platform-tests?* Yes. https://wpt.fyi/webauthn, see large-blob *Flag name* enable-experimental-web-platform-features *Requires code in //chrome?* No. *Tracking bug* https://bugs.chromium.org/p/chromium/issues/detail?id=1114875 *Measurement* None. *Non-OSS dependencies* On Windows, for security keys the API depends on a version >= 3 of the WebAuthn API <https://github.com/microsoft/webauthn/blob/master/webauthn.h>. This is currently present on recent enough versions of Windows 11. On Android, for security keys the API depends on the Google Play Services implementation of FIDO. At the moment, Play Services does not support CTAP 2.1, which is required for this feature. On Mac & Linux, support for security keys is provided by Chrome. On all desktop platforms, support for hybrid (i.e. phone/tablet) authenticators does not depend on the OS. *Sample links* https://webauthn-large-blob.glitch.me *Estimated milestones* M113 *Anticipated spec changes* None. *Link to entry on the Chrome Platform Status* https://chromestatus.com/feature/5657899357437952 *Links to previous Intent discussions* Intent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/t_9QdJ7hcls/m/CAAOGBIVBgAJ -- Nina Satragno she/they -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAB0jio%3DVeazm9pRoLcLm62XhHZEdPmBMoOFEwatDukkijXSmhQ%40mail.gmail.com.
