what features are supported?

[dcu]

what's missing?

[koesie10]

Most of the WebAuthn specification has been implemented, so both attestation and assertion should be working.

The only two TODOs in the code right now for missing parts of the spec are Token Binding (7.1, step 6), which doesn't seem to be supported by Chrome and checking sign counting (7.2, step 17). Unfortunately, I do not have an authenticator myself and used Krypton to test everything, which does not seem to support this part.

The other part of the spec that is missing is support for more Token Attestation Formats. Right now only FIDO U2F is supported, which does seem to be the most common. It is quite hard to test other formats without access to them, as that would probably require first replicating the signing procedure correctly.

I do have access to the Android SafetyNet format using Chrome Canary on Android, but unfortunately it doesn't set the User Present flag, which means it won't even get to format validation.

All other parts of the spec should be present. So, it can be used already because it does seem that the FIDO-U2F format is the most common format, implemented by most authenticators.

[saniales]

is it possible to use a smartphone as authenticator (e.g. for fingerprint)?

[koesie10]

Yes, fingerprints are supported on the latest Chrome on both Android and iOS. I haven't tested other browsers.

It is also possible to use Krypton to use your mobile phone as an authenticator for your desktop.

[saniales]

I don't want to force to install third party apps, my idea was to use webauthn + QR following whatsapp web model, but I guess it does not respect the standard, right?

[koesie10]

I don't think that's the intended purpose of WebAuthn, so I don't think it's supported.

[jgimenez]

Update for completeness: it seems like TouchID is not supported using Chrome (see #9) nor Safari (the protocol announced is apple).