WebAuthn Plugin Version 1.0.0 Features

Existing features as of alpha 0.0.2:

• Authentication

  • Passwordless: Requires user verification but keys can be stored on the server

    • Requires username view

  • Usernameless (passkey): Requires discoverable credentials and user verification.

    • User selects the registered credential for a given user.id off the authenticator

  • Second Factor : After an appropriate first factor, only requires a FIDO compliant authenticator and user presence checking

• Registration

  • Admin UI flow for a user to register and remove WebAuthn credentials using the Storage Service API

• FIDO Metadata

  • Download and load the FIDO authenticator metadata

    • Only allow trusted authenticators

    • Enhance the registration UI

Features not yet implemented for V1.0.0:

• User identity information from attribute resolver : https://shibboleth.atlassian.net/browse/JWEBAUTHN-11

• CSP protection : JWEBAUTHN-4: Add CSP protection to viewsClosed

• Admin UI for managing user credentials across the organisation : JWEBAUTHN-8: Add an admin flow suitable for an sys admin to manage other users keysClosed

• Enhance WebAuthn error messaging : JWEBAUTHN-10: Enhance error messaging from the WebAuthn APIOpen

Future features:

• Reporting API : JWEBAUTHN-7: Monitor and potentially implement the WebAuthn Report APIOpen

• Autofill UI : JWEBAUTHN-3: Look into the Autofill UIOpen

• HTTP APIs to the plugin to support externalised credential management UI : JWEBAUTHN-9: Support HTTP APIs for registering and managing user credentialsOpen