What Is WebAuthn?

WebAuthn is a web standard introduced by the World Wide Web Consortium (W3C) aimed at simplifying and standardizing strong user authentication online. It offers a simplified and secure way for users to log in to websites and applications without the need for passwords, instead using biometrics or hardware security keys.

---

• User Registration: The user registers on a web service, and during the registration, they are provided with multiple authentication options supported by WebAuthn. They can choose from external authenticators like hardware security keys (e.g. YubiKeys) or built-in platform authenticators like biometrics (e.g. Face ID, Touch ID, Windows Hello).
• User Authentication: After registration, users can authenticate to the web service using their chosen authenticator. This authentication process is simple and secure, providing a robust defense against phishing and other online threats.

WebAuthn was developed under the W3C with significant contributions from companies like Yubico, Microsoft, and Google. It is a part of the FIDO2 project, and its development aimed at moving beyond passwords to offer stronger and more user-friendly authentication mechanisms.

---

While WebAuthn lays down the framework for utilizing private keys for authentication, passkeys are a specific implementation of this framework, tailored for easy user interaction and broad application.

WebAuthn uses public-key cryptography to provide strong authentication, making it resistant to phishing and other common online attacks.

WebAuthn supports a variety of authenticators including hardware security keys (e.g. YubiKeys), fingerprint readers, and other biometric or platform built-in authenticators.

WebAuthn is a core component of the FIDO2 project and is backward compatible with FIDO Universal 2nd Factor (U2F), providing a standardized interface for user authentication.

Yes, WebAuthn supports software or platform authenticators as well, offering flexibility in the choice of authenticator used for secure login.

WebAuthn is a web standard for passwordless authentication using hardware security tokens (e.g. YubiKeys) or biometrics(e.g. Face ID, Touch ID, Windows Hello), whereas OAuth is an authorization framework that allows third-party applications to access services on behalf ofusers. While WebAuthn is focused on user authentication, OAuth handles authorization and access delegation.

WebAuthn and U2F (Universal Second Factor) bothrelate to user authentication, but WebAuthn supports both single-factor andmulti-factor authentication using various methods like biometrics (e.g. FaceID, Touch ID, Windows Hello), while U2F primarily supports two-factor authentication through physical hardware security tokens like USB devices (e.g. YubiKeys).

WebAuthn facilitates passwordless authentication using public-key cryptography, while OTP (One-Time Password or Passcode) is a time-based code used alongside passwords for two-factor authentication. Unlike OTP, WebAuthn offers a more secure, phishing-resistant method of authentication without needing additional code input.

WebAuthn is a component of the broader FIDO2 standard aimed at passwordless authentication. While FIDO2 encompasses both web (WebAuthn) and local device authentication (client-to-authenticator protocol; CTAP), WebAuthn specifically pertains to web-based authentication using public-key cryptography.

Various websites and apps have WebAuthn already implemented in their authentication flows. To see an updated list of the services, please have a look here.

The WebAuthn backend is the server-side implementation that processes authentication requests, verifies credentials, and manages public key and user data. It is responsible for securely storing the public keys associated with registered users and verifying the signatures generated by the authenticator during the login process.

To see an up-to-date WebAuthn demo, you can check out this demo page.

WebAuthn can be utilized with YubiKeys to enable passwordless login or two-factor authentication on websites, enhancing security. The YubiKey acts as an external, roaming authenticator that can generate and store cryptographic keys, allowing users to authenticate to services securely.

WebAuthn API, also called Web Authentication API, is a standard interface allowing developers to integrate passwordless authentication using public key cryptography in their applications. This API enables the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.

WebAuthn QR codes could be used to initiate a WebAuthn authentication process on a different device. This allows to use the credentials stored on one device to be used on another device. The first device scans a QR code being displayed on the second device, so that the first device’s credentials can be used. To further strengthens security and prevent phishing, the proximity of the two devices is verified via Bluetooth. The passkey from the first device is not stored on the second device.

HMAC-Secret is an extension in WebAuthn allowing shared secret generation using the authenticator, enhancing privacy and security. It provides a way to derive shared secrets from the authenticator's key, which can be used for additional purposes like encryption or integrity checking.

WebAuthn can work with hardware security keys like YubiKeys to provide a secure method of authentication by verifying the user's possession of the hardware security key. The hardware security keys generates cryptographic credentials that are sent to the server for verification, ensuring a secure and passwordless authentication experience.

A WebAuthn authenticator is a device or software that generates and manages cryptographic credentials, like biometric scannersor hardware security keys. Authenticators can be built into the user's device(platform authenticators) or be removable and usable across many devices (roaming authenticators).

WebAuthn attestation is a process where the authenticator provides a certificate to the server during registration, helping verify the authenticity of the authenticator. This certificate, signed by the authenticator's manufacturer, helps the server trust the authenticity and integrity of the authenticator.

WebAuthn Level 3 is the third revision of the WebAuthn specification documents which is currently work in progress. See the latest version here.

WebAuthn allows for the usage of multiple devices by having separate registrations for each device (and often browser), enabling users to use various authenticators. This facilitates flexibility and ensures users can authenticate across different devices and platforms seamlessly. Moreover, passkeys make use of their synchronization features across cloud accounts or password managers, which is also a kind of using WebAuhn credentials across multiple devices.

User Verification in WebAuthn is the process of verifying the user's identity, like using biometrics (e.g. Face ID, Touch ID, WindowsHello) or a PIN, before generating or using a credential. This step ensures that the individual initiating the authentication process is the legitimate owner of the authenticator, enhancing security.