WebAuthn in a Java-based Vaadin Framework or Flow app?

This week brought the announcement of the FIDO2 and WebAuthn standards for authenticating users via FIDO-based authentication directly through web browsers. Google, Mozilla, and Microsoft all committed to supporting the functionality in their flagship browsers. Supposedly, users will be able to log into a growing number of web accounts via fingerprint scan, facial recognition, or hardware key.

I am wondering if this might be used for user-authentication in a Java-based Vaadin app, either in Vaadin 8 (Framework) or Vaadin 10 (Flow).

Spec:
Web Authentication: An API for accessing Public Key Credentials Level 1
W3C Candidate Recommendation, 20 March 2018
https://www.w3.org/TR/webauthn/

Working group:
https://webencrypt.org/webauthn/

Experimental site:
https://webauthn.io

FIDO Alliance:
https://fidoalliance.org

FIDO2 project: WebAuthn + CTAP
https://fidoalliance.org/fido2/

Articles:

Webauthn Signals The Beginning Of The End For Passwords
https://www.lifehacker.com.au/2018/04/webauthn-signals-the-beginning-of-the-end-for-passwords/

Yubico Launches New Hardware Key for FIDO2, WebAuthn Standards
https://mobileidworld.com/yubico-hardware-key-fido2-webauthn-904104/

Hallo Basil,

please excuse the somewhat late answer.
I came here because I needed to find out about the current situation myself.

Vaadin is about UI in the first place, so that’s our focus.
When there is JS API then of course this can all be used from
client-side Vaadin components, even controlled from the server side.
This is the case for both Vaadin Framework (<=8) and Platform (>=10),
the latter also known as Vaadin10+ or Flow.

However, where we find only partial or half-hearted implementations, we can
only build on top of abstraction libraries like Atmosphere or Polymer.
Where these libraries do not exist, one is on their own writing one.

For your specific question, please see
https://caniuse.com/#search=web%20authentication
That means, Web Authentication is not yet implemented in all the major
browsers (and hence there cannot even be a somewhat complete abstracting
library yet).

In short - no, there is no Web Auth in Vaadin.

The good part is, you can always “reach down” directly to the APIs provided
by the browser(s) you are targeting.
Using Vaadin’s Add-On mechanism, please commit your solution to the Vaadin
Directory to share it with the rest of the community.
https://vaadin.com/directory

Cheers,
Enver

PS:
Check https://vaadin.com/components/vaadin-login regularly - modern web-usable auth mechanisms can be seen in Vaadin here first.