[ANN] WebAuthn - Web Authentication


I am pleased to announce the release of webauthn on opam (PR pending), a server-side implentation of WebAuthn, a web standard published by W3C of a similar vein as U2F for (second factor) authentication using various authenticators such as FIDO U2F devices, android safetynet etc. Registering a new authenticator involves the client sending a public key among other data to the server. Authentication is then done by sending a challenge which the client responds to using the key.

The motivation for developing this WebAuthn implementation is Google’s intention of deprecating U2F in Chrome https://groups.google.com/a/chromium.org/g/blink-dev/c/xHC3AtU_65A

Like our U2F implementation the library does not use any IO, and only handles the logic of generating challenges, verifying responses to registration challenges and authentication challenges. It is up to the client of the library to handle IO, user management and more. Be sure to read src/webauthn.mli and the demo in bin/ GitHub - roburio/webauthn: Mirror of https://git.robur.io/robur/webauthn/. A live demo is available at: https://webauthn-demo.robur.coop/.

Attestation types

When registering a user an attestation certificate is optionally provided. The attestation certificate is a X509 certificate signing the public key sent during registration and contains information such as the maker and model(family) of the authenticator. At the moment only fido-u2f and and none are supported.

The work was sponsored by skolem.tech


This is amazing, thank you for building this!