WebAuthn
What is WebAuthn?
WebAuthnA W3C standard JavaScript API that allows web applications to register and authenticate users with public-key credentials stored on platform or roaming authenticators.
Web Authentication (WebAuthn) is the browser-facing half of FIDO2. It exposes two methods, navigator.credentials.create() and navigator.credentials.get(), that let a relying party generate a new key pair on the user's authenticator and later request an assertion (a signed challenge) to verify possession. The standard supports platform authenticators (Touch ID, Windows Hello, Android), roaming authenticators (USB, NFC, Bluetooth security keys), and synced passkeys. Because the signature is bound to the relying-party origin, WebAuthn is resistant to phishing, MITM, and credential reuse. Adoption is broad across major browsers and identity providers, making it the foundation for passwordless and phishing-resistant MFA on the web.
● Examples
- 01
A bank's login page calling navigator.credentials.get() to authenticate a returning customer with their passkey.
- 02
Registering a security key on a developer console via the WebAuthn registration flow.
● Frequently asked questions
What is WebAuthn?
A W3C standard JavaScript API that allows web applications to register and authenticate users with public-key credentials stored on platform or roaming authenticators. It belongs to the Identity & Access category of cybersecurity.
What does WebAuthn mean?
A W3C standard JavaScript API that allows web applications to register and authenticate users with public-key credentials stored on platform or roaming authenticators.
How do you defend against WebAuthn?
Defences for WebAuthn typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for WebAuthn?
Common alternative names include: Web Authentication.