Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
WebAuthn
open-in-new
<p>Web Authentication (WebAuthn) is a <a href="/facts/Web_standard/3U9MLjD1">web standard</a> published by the <a href="/facts/World_Wide_Web_Consortium/lGWmhF6M">World Wide Web Consortium</a> (W3C). It defines an <a href="/facts/API/GMlN4vUr">API</a> for websites to <a href="/facts/Authentication/64y4S69b">authenticate</a> users using WebAuthn credentials (passkeys) and outlines what WebAuthn authenticators should do. It solves many of the issues of traditional <a href="/facts/Password/WEoul230">password</a>-based authentication by verifying the user's identity with <a href="/facts/Digital_signatures/tY7e2pnW">digital signatures</a>. WebAuthn is often touted as a complete replacement for passwords, eliminating the need to send passwords over the internet or store them on servers. However, most websites that support WebAuthn still utilize passwords in some way. </p><p>In order to use WebAuthn, users require a compatible authenticator. The standard does not specify how the <a href="/facts/Private_key/gowoFTxS">keys</a> required for signing are to be stored, so a variety of authenticator types can be used. The most common authenticator type is a platform authenticator, which is built into the <a href="/facts/Operating_system/8XTuvMh2">operating system</a> of the device. Common platform authenticators include <a href="/facts/Android_(operating_system)/nNyHb0xz">Android</a>, <a href="/facts/Apple_Keychain/XP17PLGM">Apple Keychain</a> and <a href="/facts/Windows_Hello/be9IHehJ">Windows Hello</a>. These make use of hardware security features (such as <a href="/facts/Trusted_execution_environment/CAvpc5xs">TEE</a> and <a href="/facts/Trusted_Platform_Module/3XHCGYkX">TPM</a>), and often sync credentials between devices for ease-of-use. Another common authenticator type is a roaming authenticator, where a separate hardware device authenticates the user by connecting over <a href="/facts/USB/XcIKWLyg">USB</a>, <a href="/facts/Bluetooth_Low_Energy/7Da68uCs">Bluetooth Low Energy</a>, or <a href="/facts/Near-field_communications/awqd3Ea8">near-field communications</a> (NFC). Most <a href="/facts/Smartphones/cSIrBMWG">smartphones</a> can be used as roaming authenticators, and dedicated physical <a href="/facts/Security_token/0V55fErB">security keys</a> are also used. WebAuthn is effectively backward compatible with FIDO <a href="/facts/Universal_2nd_Factor/T440me7q">Universal 2nd Factor</a> (U2F) as they both use the <a href="/facts/CTAP/q3vTpPCY">CTAP</a> protocol. </p><p>Like legacy U2F, WebAuthn is resistant to <a href="/facts/Phishing/hvgfz4U8">phishing attacks</a> as the authenticator only offers credentials that were registered on the <a href="/facts/Same-origin_policy/GmJMRbzf">same website</a>. However, unlike U2F, WebAuthn can be implemented in a <a href="/facts/Passwordless_authentication/ryYz4Avk">passwordless</a> manner. Moreover, a roaming hardware authenticator is resistant to malware since the keys are stored on a separate device which prevents the malware from accessing them directly. </p><p>The WebAuthn Level 1 and 2 standards were published as <a href="/facts/W3C_recommendation/lGWmhF6M">W3C Recommendations</a> on 4 March 2019 and 8 April 2021 respectively. A Level 3 specification is currently a <i>First Public Working Draft</i> (FPWD). WebAuthn is a core component of the <a href="/facts/FIDO_Alliance/MJWesQXW">FIDO2 Project</a> under the guidance of the <a href="/facts/FIDO_Alliance/MJWesQXW">FIDO Alliance</a>. </p>