Identity term · last reviewed 2026-07-07
WebAuthn
Also known as: Web Authentication API
WebAuthn (Web Authentication) is the W3C browser API for registering and authenticating users with public-key credentials, binding every signature to the page origin to make login phishing-resistant.
How it works
WebAuthn (Web Authentication) is the W3C browser API that web apps call to register and authenticate users with public-key credentials. It is the web-facing half of FIDO2. Two ceremonies drive it: registration (attestation) creates a key pair where the private key stays in the authenticator and the server stores only the public key, and authentication (assertion) proves possession of that private key by signing a fresh, server-issued challenge. The browser binds every signature to the page origin, which is what makes WebAuthn phishing-resistant by construction. You invoke it through navigator.credentials.create() and navigator.credentials.get().
When it matters
WebAuthn matters whenever you implement passwordless or strong second-factor login on the web. When a product team says "add passkeys," what they build is a WebAuthn integration. Because the server holds only public keys, a database breach leaks nothing an attacker can authenticate with, unlike password hashes. Use a maintained library rather than hand-rolling the CBOR parsing and signature checks. See Implement Passkeys / WebAuthn and the W3C spec at w3.org/TR/webauthn-2.
Common misconceptions
- "WebAuthn is a product." It is a browser API standard, not a vendor or a login button.
- "WebAuthn equals passkeys." A passkey is a discoverable, usually synced WebAuthn credential. WebAuthn is broader and also covers device-bound and roaming keys.
- "You must verify attestation." For most consumer apps, attestationType 'none' is correct; full attestation adds overhead and privacy concerns.
Explained in depth