WebAuthn: Level 2 Features and Enhancements

WebAuthn: Closing in on Level 2.

The newest version of Web Authentication is in the home stretch and should land as a W3C blessed spec shortly after the calendar turns to 2021. The W3C distinguishes their spec versions “Levels”, and as such the new specification released in early 2021 will be labeled Level 2 (L2).

At a high level, the Level 2 WebAuthn Specification is a series of fixes and enhancements to the original L1 spec. The focus for the Level 2 release is to expand functionality for specific use cases. Here are some highlights of Web Authentication L2.

Enterprise Attestation:

Enterprise Attestation (EA) is focused on device management within an enterprise, a familiar endeavor for any company. Enterprise Attestation is standardized in WebAuthn and FIDO CTAP2 and permits a relying party to request uniquely identifying information from authenticators during a registration event. This function was designed for controlled deployments within an enterprise where the organization wishes to tie registrations to specific authenticators, allowing management functions such as tracking key distribution and usage.

Usage tracking features supported with Enterprise Attestation do run counter to WebAuthn’s privacy principles on traceability. To address this concern, authenticators which support Enterprise Attestation are not available to consumers. Authenticator vendors must pre-load these attestations, with corporate management policies controlling if a site or service can request such an attestation. In short, only authenticators programmed with unique attestation by an organization can have their usage tracked on the same organization’s sites.

In addition, Enterprise Attestation features two approaches at the CTAP 2.1 layer - Vendor Facilitated EA and Platform Managed EA.

  • Vendor-Facilitated EA - Customers and authenticator vendors collaborate on configuring EA with the customer’s RP IDs. The authenticators are for the customer’s exclusive use, and the configured authenticators only return EA when requested by the RP IDs.

  • Platform-Managed EA - Platforms institute policy on whether an origin can request EA and if an EA-capable authenticator can return EA if requested. End-users can disable EA functionality with a hard reset, but enterprises can re-enable via management tools.

Note that WebAuthn Level 2 also will support an Apple Attestation format.

Cross-Origin iFrame Support:

Cross-Origin iFrame Support is key for mixing Web Authentication with web payments and other flows. The feature allows only a get() command, does not permit credential creation, and can traverse origins. The feature, however, maintains the integrity of the specification’s single origin, providing capabilities for WebAuthn L1 and L2 that allow create() and get() with support for same-origin iFrames. This allows for generating signatures in situations where authentication speed is required but limited by bandwidth, such as when using Bluetooth Low Energy and Near-Field Communication.

New Extensions

Large Blob storage extension: This extension compresses data and allows the RP to store opaque data associated with a credential. This feature is useful in specific cases, such as a Relying Party that wishes to issue certificates rather than run a centralized authentication service. Large blobs stored on authenticators using CTAP will use that FIDO specification when storing large blobs.

Discoverable Credentials (residentKey) “preferred” and credProps Extension: When creating credentials, the RP can signal that creating a Discoverable Credential is “discouraged”, “preferred”, or “required”. Formerly known as Resident Credential or Resident Key, Discoverable Credentials help enable passwordless re-authentication flows. The credProps extension informs RPs if the credential was created as discoverable or not.

FIDO AppID Exclusion Extension: This extension provides for RPs a migration bridge between legacy U2F implementations and WebAuthn/FIDO2. Developers also will have the ability to exclude U2F credentials. This feature determines if a caller’s FacetID is authorized for an AppID.