PROPOSED Web Authentication Working Group Charter
The mission of the Web Authentication Working Group, in the Security Activity is to define a client-side API providing strong authentication functionality to Web Applications.
This proposed charter is available on GitHub. Feel free to raise issues.
|Start date||[dd monthname yyyy] (date of the "Call for Participation", when the charter is approved)|
|Start date + 2 years||[dd monthname yyyy]|
|Charter extension||See Change History.|
John Fontana, Yubico
Anthony Nadalin, W3C Invited Expert
|Team Contacts||Wendy Seltzer (0.05 FTE)|
Teleconferences: 1-hour calls will be held weekly.
Face-to-face: We will meet during the W3C's annual Technical Plenary week; additional face-to-face meetings may be scheduled by consent of the participants, no more than 3 per year.
The Web Authentication Working Group will develop recommendation-track specifications defining an API, as well as signature and attestation formats which provide an asymmetric and symmetric cryptography-based foundation for authentication of users to Web Applications.
Overall goals include obviating the use of shared secrets, i.e. passwords, as authentication credentials, facilitating multi-factor authentication support as well as hardware-based key storage while respecting the Same Origin Policy (SOP) by default and allowing for explicit, constrained SOP relaxation.
The Working Group will determine use cases that the API needs to support and use these to derive requirements. Success will be determined by the implementation of API features as defined in this section of the charter.
API Features in scope are:
- Requesting generation of multiple asymmetric key pairs within a specific scope (e.g., an origin) with crypto (signature and curve) agility and crypto parameter selection;
- Proving that the browser has possession of a specific private key, where the proof can only be done within the scope of the key pair. In other words, authentication should obey the same origin policy;
- Remote desktop (unattended operation) ability;
- Ability to allow a non-modal UI;
- Binding of ambient credentials;
- Re-authentication from the discretion of the relying party;
- Dynamic linking of authentication credentials;
- Storing of private key(s);
- Account recovery and/or credential backup options;
- Facilitate relying party adoption through additional API enhancements such as returning transport indications in assertions, a credential “durability” signal, and credential status feedback signaling from relying parties.
Dependencies may exist on the Credential Management API in the W3C Web Application Security Working Group along with the Client To Authenticator Protocol specification in FIDO.
Note that the details of any user experience (such as prompts) will not be normatively specified, although they may be informatively specified for certain function calls.
The Web Authentication Working Group should aim to produce specifications that have wide deployment and should adopt, refine and when needed, extend, existing practices and community-driven draft specifications when possible. The APIs should integrate well with Web Applications and so should be developed in concert with Web Application developers and reviewed by the Web Application Security and Web Applications Working Groups.
Comprehensive test suites should be developed for the specification to ensure interoperability. User-centric privacy considerations of device management and credentials should be taken into account. The Working Group may produce protocol standards as needed by the API.
Out of Scope
The folllowing items are out of scope:
- federated identity,
- multi-origin credentials,
- low-level access to cryptographic operations or key material.
In order to advance to Proposed Recommendation, each specification is expected to have at least two independent implementations of each feature defined in the specification. The extensions listed in the specification are tested at extension framework level for correctness, the functionality of each extension is tested independently.
Current deliverable status is available on the group publication status page.
Draft state indicates the state of the deliverable at the time of the charter approval. Expected completion indicates when the deliverable is projected to become a Recommendation, or otherwise reach a stable state.
The Working Group will deliver at least the following W3C normative specification:
- Web Authentication API Level 3
This specification makes secure authentication available to Web application developers via a standardized API. This new version will incorporate errata of the earlier Web Authentication Specifications and any additional authenticator selection criteria use cases.
Draft state: Adopted from Web Authentication WG, Level 3 First Public Working Draft
Adopted Draft: Web Authentication: An API for accessing Public Key Credentials - Level 3, 2021-04-27
Exclusion Draft: https://www.w3.org/TR/2021/WD-webauthn-3-20210427/
Associated Call for Exclusion on 2021-04-27
Exclusion opportunity ends on 2021-09-24.
Produced under Working Group Charter: https://www.w3.org/2019/10/webauthn-wg-charter.html
The working group will produce a test suite and implementation report for its specification(s).
Other non-normative documents may be created such as:
- Use case and requirement documents, including use cases as needed to inform user requirements across horizontal areas,
- Primer or Best Practice documents to support web developers when designing applications.
- Protocol design overview documents or flow diagrams.
In order to advance to Proposed Recommendation, each normative specification is expected to have at least two independent implementations of every feature defined in the specification.
Each specification should contain separate sections detailing all known security and privacy implications for implementers, Web authors, and end users.
There should be testing plans for each specification, starting from the earliest drafts.
For all specifications, this Working Group will seek horizontal review for accessibility, internationalization, performance, privacy, and security with the relevant Working and Interest Groups, and with the TAG. Invitation for review must be issued during each major standards-track document transition, including FPWD. The Working Group is encouraged to engage collaboratively with the horizontal review groups throughout development of each specification. The Working Group is advised to seek a review at least 3 months before first entering CR and is encouraged to proactively notify the horizontal review groups when major changes occur in a specification following a review.
This API should work with a wide variety of authenticators and should not require non-standardized vendor-specific infrastructure. We will establish liaisons with the other standards bodies working on particular authenticators as needed.
Additional technical coordination with the following Working Groups will be made, per the W3C Process Document:
- Web Application Security Working Group
- Coordination with Credential Management API and application security.
- Web Applications Working Group
- Coordination on API design.
- Web Payments Working Group
- To liaison over issues related to strong authentication for payments and tokenization.
- Web Payments Security Interest Group
- To liaison over issues related to strong authentication for payments and tokenization with FIDO, W3C and EMVCo.
- Privacy Interest Group
- Coordination on privacy implications.
- Accessible Platform Architectures (APA) Working Group
- Coordination to review accessibility requirements for APIs and for any direct user interfaces that may be specified.
- Decentralized Identifier Working Group
- To liaison over issues related to strong authentication and proof of ownership of decentralized identifiers.
- WebAuthn Adoption Community Group
- This group helps coordinate research and actions to help with broader adoption of the Web Authentication ecosystem.
- IETF Security Area Directorate
- The IETF Security Area Directorate consists of the Working Group Chairs of the Security Area and selected individuals chosen for their technical knowledge in security.
- FIDO 2.0 Working Group
- Coordination on Client to Authenticator Protocol.
To be successful, this Working Group is expected to have 6 or more active participants for its duration, including representatives from the key implementors of this specification, and active Editors and Test Leads for each specification. The Chairs, specification Editors, and Test Leads are expected to contribute half of a working day per week towards the Working Group. There is no minimum requirement for other Participants.
The group encourages questions, comments and issues on its public mailing lists and document repositories, as described in Communication.
The group also welcomes non-Members to contribute technical submissions for consideration upon their agreement to the terms of the W3C Patent Policy.
Participants in the group are required (by the W3C Process) to follow the W3C Code of Ethics and Professional Conduct.
Technical discussions for this Working Group are conducted in public: the meeting minutes from teleconference and face-to-face meetings will be archived for public review, and technical discussions and issue tracking will be conducted in a manner that can be both read and written to by the general public. Working Drafts and Editor's Drafts of specifications will be developed in public repositories and may permit direct public contribution requests. The meetings themselves are not open to public participation, however.
Information about the group (including details about deliverables, issues, actions, status, participants, and meetings) will be available from the Web Authentication Working Group home page.
Most Web Authentication Working Group teleconferences will focus on discussion of particular specifications, and will be conducted on an as-needed basis.
This group primarily conducts its technical work through a GitHub repository and on the public mailing list firstname.lastname@example.org (archive). The public is invited to raise issues on GitHub.
The group may use a Member-confidential mailing list for administrative purposes and, at the discretion of the Chairs and members of the group, for member-only discussions in special cases when a participant requests such a discussion.
This group will seek to make decisions through consensus and due process, per the W3C Process Document (section 3.3). Typically, an editor or other participant makes an initial proposal, which is then refined in discussion with members of the group and other reviewers, and consensus emerges with little formal voting being required.
However, if a decision is necessary for timely progress and consensus is not achieved after careful consideration of the range of views presented, the Chairs may call for a group vote and record a decision along with any objections.
To afford asynchronous decisions and organizational deliberation, any resolution (including publication decisions) taken in a face-to-face meeting or teleconference will be considered provisional. A call for consensus (CfC) will be issued for all resolutions (for example, via email, GitHub issue or web-based survey), with a response period from one week to 10 working days, depending on the chair's evaluation of the group consensus on the issue. If no objections are raised by the end of the response period, the resolution will be considered to have consensus as a resolution of the Working Group.
All decisions made by the group should be considered resolved unless and until new information becomes available or unless reopened at the discretion of the Chairs or the Director.
This charter is written in accordance with the W3C Process Document (Section 3.4, Votes) and includes no voting procedures beyond what the Process Document requires.
This Working Group operates under the W3C Patent Policy (Version of 15 September 2020). To promote the widest adoption of Web standards, W3C seeks to issue Web specifications that can be implemented, according to this policy, on a Royalty-Free basis. For more information about disclosure obligations for this group, please see the licensing information.
This Working Group will use the W3C Document license for all its deliverables.
About this Charter
This charter has been created according to section 5.2 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.
The following table lists details of all changes from the initial charter, per the W3C Process Document (section 5.2.3):
|Charter Period||Start Date||End Date||Changes|
|Initial Charter||8 February 2016||8 February 2017|
|Charter Extension (Announcement)||8 February 2017||8 August 2017||Samuel Weiler added as team contact. Harry Halpin stepped down as team contact.|
|New co-chair (Announcement)||no change||no change||John Fontana appointed as chair, 21 June 2017. Richard Barnes stepped down as chair, 22 March 2017.|
|Charter Extension (Announcement)||8 February 2017||31 October 2017||Charter extended|
|Rechartered (Announcement)||11 October 2017||15 September 2019||
Rechartered to include a version 2.
|Recharter||15 October 2021||30 December 2021||
|Chair Update||no change||no change||
Anthony Nadalin re-appointed as group chair, 7 August 2020.
|Rechartered||[dd monthname yyyy]||[dd monthname yyyy]||
[description of change to charter, with link to new deliverable item in charter] Note: use the class