Contact emails...@chromium.org Explainerhttps://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension
Specificationhttps://w3c.github.io/webauthn/#prf-extension Summary The PRF extension to WebAuthn allows a pseudo-random function (i.e. HMAC), stored on the security key, to be evaluated when getting a credential. This can be used to derive secret keys used to encrypt user data. Blink componentBlink>WebAuthentication <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWebAuthentication> Search tagswebauthn <https://chromestatus.com/features#tags:webauthn>, prf <https://chromestatus.com/features#tags:prf>, hmac <https://chromestatus.com/features#tags:hmac> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/806 TAG review statusComplete Risks Interoperability and Compatibility Support on Windows depends on having a recent version of Windows. Not every security key supports the underlying hmac_secret functionality. Some passkey providers on Android 14 may not support it. *Gecko*: No signal *WebKit*: No signal *Web developers*: We've had several requests to enable this. Hopefully some will reply to this thread in the coming week. Security Some platforms may have assumed that the web would not ever be able to access the HMAC oracles in security keys. Therefore the HMAC inputs are hashed with a context string before being used, thus preventing sites from evaluating any HMAC input from the native domain. WebView application risks WebAuthn is not currently supported in WebViews. If that changes, this feature isn't expected to cause any specific difficulties. It remains the case that apps need to be authorized by assetlinks.json to access WebAuthn credentials. DebuggabilityThis feature is supported by Chromium's simulated security key and can be used by Web Driver tests and, later, could be exposed in DevTools. Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?Yes, although support for WebAuthn in WebViews in general is still in the future. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?Yes Flag namechrome://flags/#enable-experimental-web-platform-features, although it'll have a separate killswitch flag when default enabled. Requires code in //chrome?False Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1106961 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5138422207348736 Links to previous Intent discussionsIntent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/t_9QdJ7hcls/m/CAAOGBIVBgAJ -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL9PXLwSTfuePtL9d2BrF%2BPjXkipxY-f4TPCDMHpv5ESwqA1uQ%40mail.gmail.com.
