The W3C WebAuthn and FIDO2 working groups have been actively creating third versions of the W3C Web Authentication (WebAuthn) and FIDO2 Client to Authenticator Protocol (CTAP) specifications. While remaining compatible with the original and second standards, these third versions add features that have been motivated by experience with deployments of the previous versions. Additions include Cross-Origin Authentication within an iFrame, Credential Backup State, the isPasskeyPlatformAuthenticatorAvailable method, Conditional Mediation, Device-Bound Public Keys (since renamed Supplemental Public Keys), requesting Attestations during authenticatorGetAssertion, the Pseudo-Random Function (PRF) extension, the Hybrid Transport, and Third-Party Payment Authentication.
I often tell people that I use my blog as my external memory. I thought I’d post references to these drafts to help me and others find them. They are:
- Web Authentication: An API for accessing Public Key Credentials, Level 3, W3C Working Draft, 27 September 2023
- Client to Authenticator Protocol (CTAP), FIDO Alliance Review Draft, March 21, 2023
Thanks to John Bradley for helping me compile the list of deltas!