100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

WebAuthn

a W3C and FIDO Alliance standard

IntermediateProtocol2K learners

WebAuthn (Web Authentication API) is a W3C standard that defines a browser API for public-key-based authentication, allowing websites to register and authenticate users using hardware security keys, platform authenticators (biometrics), or…

Definition

WebAuthn (Web Authentication API) is a W3C standard that defines a browser API for public-key-based authentication, allowing websites to register and authenticate users using hardware security keys, platform authenticators (biometrics), or passkeys instead of passwords.

Overview

WebAuthn was developed jointly by the W3C and the FIDO Alliance (which also produced the earlier U2F standard for hardware security keys) and became an official W3C Recommendation in 2019, as the core web-facing API of the broader FIDO2 project. It exposes two primary JavaScript methods to web applications: `navigator.credentials.create()` for registering a new authenticator-backed credential, and `navigator.credentials.get()` for authenticating with an existing one. Under the hood, these calls trigger the browser and operating system to communicate with an 'authenticator' — which can be a platform authenticator built into the device (Touch ID, Windows Hello, Android biometrics) or a roaming authenticator like a USB/NFC/Bluetooth security key (e.g. a YubiKey). WebAuthn's core cryptographic model is challenge-response with asymmetric key pairs: during registration, the authenticator generates a new key pair scoped to the requesting site's origin, keeps the private key secured (often in hardware, like a Trusted Platform Module or Secure Enclave), and returns the public key for the server to store. During authentication, the server issues a random challenge, the authenticator signs it with the private key after user verification (biometric or PIN), and the server verifies the signature against the stored public key — at no point does any shared secret cross the network, which is what makes WebAuthn credentials inherently phishing-resistant and immune to server-side credential database breaches in a way passwords never can be. WebAuthn underpins passkeys, which are essentially a productized, cloud-synced, consumer-friendly presentation of WebAuthn credentials — WebAuthn is the low-level protocol/API, while 'passkey' describes the end-user experience and credential-syncing behavior built on top of it. WebAuthn also supports attestation, letting a relying party (the website) verify what type of authenticator was used and its security properties, which matters for regulated industries needing to enforce specific hardware security requirements.

Specification

  • W3C standard API: navigator.credentials.create() and .get() for registration and authentication
  • Public-key cryptography: private keys never leave the authenticator device
  • Supports both platform authenticators (biometrics) and roaming authenticators (USB/NFC/BLE security keys)
  • Challenge-response authentication makes credentials inherently phishing-resistant
  • Credentials are scoped to a specific origin, preventing cross-site credential reuse
  • Supports attestation so relying parties can verify authenticator type and security properties
  • Forms the technical foundation underlying consumer passkeys
  • Part of the broader FIDO2 project alongside CTAP (Client to Authenticator Protocol)

Use Cases

Implementing passwordless or multi-factor login on websites and web apps
Enterprise strong authentication with hardware security keys (YubiKey, Titan Key)
Powering consumer passkey sign-in experiences across platforms
Meeting regulatory or compliance requirements for phishing-resistant MFA
Step-up authentication for sensitive actions (e.g. bank transfers, admin actions)
Reducing helpdesk password reset costs by eliminating password-based accounts

Alternatives

Password + SMS two-factor authenticationTOTP authenticator appsOAuth-based social login

History

Web Authentication (WebAuthn) is a browser standard for strong, phishing-resistant, passwordless login, developed jointly by the World Wide Web Consortium (W3C) and the FIDO Alliance. The WebAuthn Level 1 specification was published as a W3C Recommendation on March 4, 2019, with Level 2 following on April 8, 2021. WebAuthn is the browser-facing component of the FIDO Alliance's FIDO2 set of specifications, paired with the Client-to-Authenticator Protocol (CTAP) that connects browsers to authenticators. It uses public-key cryptography: a private key never leaves the user's device (a security key, phone, or platform authenticator), and biometrics or PINs stay local, which eliminates the phishing, credential-theft, and replay risks inherent to passwords. WebAuthn is the technical foundation of modern passkeys.

Frequently Asked Questions