CTAP is the protocol used between computers and security keys. CTAP 2.1 defines[1] a security key extension called credBlob that is designed to store a hash value that can be used to authenticate externally provided data. This feature involves plumbing that value through WebAuthn to let the security key see it. [1] https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html#sctn-credBlob-extension

Motivation

credBlob is designed to associate a SHA-256 hash with a credential on a security key. Microsoft (will) use this to allow externally-provided (and thus untrusted) data to be authenticated during an OS login process when central servers are unavailable. By allowing this extension to be exercised via WebAuthn it's possible to create credentials via the web that will be compatible with this. Otherwise all such credentials would have to be created via native tools.

Specification

Editor's draft

Status in Chromium

Blink>WebAuthentication


No active development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • Positive
  • No signal
  • No signals

Owner

Intent to Prototype url

Intent to Prototype thread

Last updated on 2021-08-01