CTAP2 credBlob extension - Chrome Platform Status

Feature: CTAP2 credBlob extension

CTAP is the protocol used between computers and security keys. CTAP 2.1 defines[1] a security key extension called credBlob that is designed to store a hash value that can be used to authenticate externally provided data. This feature involves plumbing that value through WebAuthn to let the security key see it. [1] https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html#sctn-credBlob-extension

Motivation

credBlob is designed to associate a SHA-256 hash with a credential on a security key. Microsoft (will) use this to allow externally-provided (and thus untrusted) data to be authenticated during an OS login process when central servers are unavailable. By allowing this extension to be exercised via WebAuthn it's possible to create credentials via the web that will be compatible with this. Otherwise all such credentials would have to be created via native tools.

Specification

Specification link

Status: Unknown standards status - check spec link for status

Status in Chromium

Blink components: Blink>WebAuthentication

Implementation status: No active development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: No signal
Safari: No signal
Web Developers: No signals

Owner

agl@chromium.org

Intent to Prototype url

Intent to Prototype thread

Last updated on 2021-12-07