Talk:WebAuthn

I think referring to ZKPs in the introduction is needlessly confusing. Without explanation or source it's also unclear what kind of ZKPs are used, what they are used for. The W3C doesn't talk about ZKPs in its Web Authentication recommendations, so to me it doesn't appear to be essential to WebAuthn.

212.41.242.118 (talk) 12:27, 1 July 2025 (UTC)Reply

  Implemented Bend1010 (talk) 12:41, 4 July 2025 (UTC)Reply

WebAuthn is designed so that it can work with a range of public-key authenticator mechanisms, from pure software implementations to those using specialized hardware environments, such as a processor's trusted execution environment, a Trusted Platform Module, or an external hardware token accessed via USB, Bluetooth Low Energy, or near-field communications (NFC).

The "such as" list does not adequately declare itself on the range from "pure software" to "specialized hardware".

Expects can probably puzzle this out in 15 s. That is not the target audience for the lead passage. — MaxEnt 14:34, 10 September 2018 (UTC)Reply

I think you are right, this is not as easily readable as it should be. I'm going to re-phrase this. --Karol Babioch (talk) 18:36, 9 October 2018 (UTC)Reply

I finally managed to re-phrase the whole introduction. Hopefully it is better understandable now. Let me know what you think of it. --Karol Babioch (talk) 20:28, 11 October 2018 (UTC)Reply

Title says it all. For details, see: WP:SUMMARYNO. Thanks. Tom Scavo (talk) 13:37, 6 March 2019 (UTC)Reply

The article is under construction. A number of round trips are required. Thanks for your patience. Tom Scavo (talk) 15:26, 6 March 2019 (UTC)Reply

Basic content added. It would be nice if the terms linked to the W3C WebAuthn glossary but I don't know how to do that. May have to link to the glossary itself (and let the reader navigate further). Tom Scavo (talk) 16:18, 6 March 2019 (UTC)Reply

Okay, I've reached a stopping point (have at it). A few notes:

1. Please don't link to the Authenticator topic (since it's a mess). I'm working on a complete rewrite of the Authenticator topic but this will take awhile.
2. Concrete examples of software authenticator and platform authenticator are needed. Web citations are required in each case.
3. If you know of an authoritative citation that justifies the last paragraph in the WebAuthn#Overview section, please add it. Published articles only, please. We don't want to start a flame war :-) Tom Scavo (talk) 16:29, 6 March 2019 (UTC)Reply

Somebody needs to add a simplified description showing how a computer user who doesn't understand the workings of this would use this. As it is, anybody who doesn't already understand what's going on would be completely lost in all the jargon. This wouldn't have to explain how it works, just what a layman trying to use it would do and see. Put that first, and the current detailed explanation second and those who don't need or want the gory details won't have to wade through them. JDZeff (talk) 19:51, 19 December 2024 (UTC)Reply

I believe the last paragraph is accurate. I was tempted to write "users are uniformly apprehensive of biometrics" (or something like that) but that would be even more contentious, I know. Clearly the last paragraph needs at least one authoritative citation (see above). Tom Scavo (talk) 18:11, 6 March 2019 (UTC)Reply

I added a couple of citations re biometrics (both from Duo Security) but I still think a published reference is needed. Surely someone has already done this research. Tom Scavo (talk) 17:02, 8 March 2019 (UTC)Reply

IMO, the WebAuthn#Support section should cover browsers and relying parties only, no authenticators. Alternatively, the latter could be listed on the forthcoming Draft:Authenticator page instead. I added a table to that page along with a bit of content to illustrate. Comments? Tom Scavo (talk) 17:31, 8 March 2019 (UTC)Reply

This writeup is useless to outsiders. I am computer literate up to a decade or two ago, but most sentences gave me no usable information. I grant that technical language may be needed, but please explain at least some ideas in lay terms. Burressd (talk) 23:18, 17 May 2025 (UTC)Reply

I think the problems of this article largely mirror the main problem of descriptions found on the internet, namely that everyone seem to push the selling point that there is no password. But there is always some secret, and if not at least part of that secret is a password then some quite unpleasant misfeatures tend to arise.

I'm not sure what to do about the article, we need some non-bullshit description as a source. EBusiness (talk) 08:45, 8 June 2025 (UTC)Reply

Yea, it can seem a little disingenuous. Ars Technica[1] mentions one way in which the "password replacement" language is not quite true: most sites still require that you have a password and traditional 2FA as a back-up.

Another way that this shows up is with sites like Facebook, Twitter and GitHub that only let you use WebAuthn as a second factor. IIRC this was the way that most sites implemented it in the early days. It might be worth having a few paragraphs in the body explaining the different ways that WebAuthn credentials are utilised in combination with, or instead of, other methods of authentication. Bend1010 (talk) 13:04, 3 July 2025 (UTC)Reply