This article may be too technical for most readers to understand. Please help improve it to make it understandable to non-experts, without removing the technical details.(February 2024) (Learn how and when to remove this message)
Public-key authentication standard
Web Authentication
Abbreviation
WebAuthn
Year started
31 May 2016 (2016-05-31)
First published
31 May 2016 (2016-05-31)
Latest version
Level 2 Recommendation 21 April 2021 (2021-04-21)
Preview version
Level 3 (FPWD) 15 December 2021 (2021-12-15)
Organization
FIDO2 Project (FIDO Alliance and W3C)
Committee
Web Authentication Working Group
Editors
Current editors
Jeff Hodges (Google)
J.C. Jones (Mozilla)
Michael B. Jones (Microsoft)
Akshay Kumar (Microsoft)
Emil Lundberg (Yubico)
Previous editors
Dirk Balfanz (Google)
Vijay Bharadwaj (Microsoft)
Arnar Birgisson (Google)
Alexei Czeskis (Google)
Hubert Le Van Gong (PayPal)
Angelo Liao (Microsoft)
Rolf Lindemann (Nok Nok Labs)
Base standards
File API
WHATWG Encoding Standard
Unicode AUX #29: Text Segmentation
Domain
Authentication
Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C).[1][2][3] WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance.[4] The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials (which are themselves FIDO credentials) are sometimes referred to as passkeys.[5]
On the client side, support for WebAuthn can be implemented in a variety of ways. The underlying cryptographic operations are performed by an authenticator, which is an abstract functional model that is mostly agnostic with respect to how the key material is managed. This makes it possible to implement support for WebAuthn purely in software, making use of a processor's trusted execution environment or a Trusted Platform Module (TPM). Sensitive cryptographic operations can also be offloaded to a roaming hardware authenticator that can in turn be accessed via USB, Bluetooth Low Energy, or near-field communications (NFC). A roaming hardware authenticator conforms to the FIDO Client to Authenticator Protocol (CTAP),[6] making WebAuthn effectively backward compatible with the FIDO Universal 2nd Factor (U2F) standard.[7]
Like legacy U2F, Web Authentication is resilient to verifier impersonation; that is, it is resistant to phishing attacks,[8] but unlike U2F, WebAuthn does not require a traditional password.[citation needed] Moreover, a roaming hardware authenticator is resistant to malware since the private key material is at no time accessible to software running on the host machine.
The WebAuthn Level 1 and 2 standards were published as W3C Recommendations on 4 March 2019 and 8 April 2021 respectively.[1][9][10] A Level 3 specification is currently a First Public Working Draft (FPWD).[11]
^ abBalfanz, Dirk; Czeskis, Alexei; Hodges, Jeff; Jones, J.C.; Jones, Michael B.; Kumar, Akshay; Liao, Angelo; Lindemann, Rolf; Lundberg, Emil (eds.). "Web Authentication: An API for accessing Public Key Credentials Level 1 (latest)". World Wide Web Consortium. Retrieved 4 March 2019.
^"Web Authentication Working Group". World Wide Web Consortium. Retrieved 11 May 2018.
^Strickland, Jonathan (18 March 2019). "What is WebAuthn". TechStuff. iHeartMedia. 20:35 minutes in. Retrieved 20 March 2019.
^"FIDO2 Project". FIDO Alliance. Retrieved 11 May 2018.
^"White Paper: Multi-Device FIDO Credentials" (PDF). FIDO Alliance. March 2022. p. 6. Retrieved 14 December 2023.
^Brand, Christiaan; Czeskis, Alexei; Ehrensvärd, Jakob; Jones, Michael B.; Kumar, Akshay; Lindemann, Rolf; Powers, Adam; Verrept, Johan, eds. (30 January 2019). "Client to Authenticator Protocol (CTAP)". FIDO Alliance. Retrieved 7 March 2019.
^"WebAuthn / CTAP: Modern Authentication" (PDF). World Wide Web Consortium. 10 December 2018. Retrieved 11 March 2019.
^Kan, Michael (7 March 2019). "Google: Phishing Attacks That Can Beat Two-Factor Are on the Rise". PC Magazine. Retrieved 8 March 2019.
^"W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Logins". World Wide Web Consortium. 4 March 2019. Retrieved 4 March 2019.
^Balfanz, Dirk; Czeskis, Alexei; Hodges, Jeff; Jones, J.C.; Jones, Michael B.; Kumar, Akshay; Lindemann, Rolf; Lundberg, Emil, eds. (8 April 2021). "Web Authentication: An API for accessing Public Key Credentials Level 2" (Latest ed.). World Wide Web Consortium. Retrieved 27 November 2022.
^Balfanz, Dirk; Czeskis, Alexei; Hodges, Jeff; Jones, J.C.; Jones, Michael B.; Kumar, Akshay; Lindemann, Rolf; Lundberg, Emil, eds. (4 April 2021). "Web Authentication: An API for accessing Public Key Credentials Level 3" (First Public Working Draft ed.). World Wide Web Consortium. Retrieved 24 December 2021.
Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under...
security key) and a WebAuthn Relying Party (also called a FIDO2 server). A web user agent (i.e., a web browser) together with a WebAuthn client form an intermediary...
It is succeeded by the FIDO2 Project, which includes the W3C Web Authentication (WebAuthn) standard and the FIDO Alliance's Client to Authenticator Protocol...
keying the 6-digit numeric code used when pairing a Bluetooth device a WebAuthn or FIDO credential, referred to as a passkey by some vendors This disambiguation...
manufactures the Security Key, a similar lower-cost device with only FIDO2/WebAuthn and FIDO/U2F support. The YubiKey implements the HMAC-based one-time password...
CTAP is complementary to the Web Authentication (WebAuthn) standard published by the World Wide Web Consortium (W3C). WebAuthn and CTAP are the primary outputs...
Login with Biometrics Vault login by Two-factor authentication via FIDO2 WebAuthn, authenticator apps, and email in free version, with the addition of Duo...
authentication functionality to Web Applications. On 20 March 2018, the WebAuthn standard was published as a W3C Candidate Recommendation. "Web Authentication Working...
(CTAP). Together WebAuthn and CTAP provide a strong authentication solution for the web. A FIDO2 authenticator, also called a WebAuthn authenticator, uses...
Active Directory. Multi-factor authentication is also available using TOTP, WebAuthn, or YubiKey OTP. Since PVE 8.1 there is a full Software-Defined Network...
lost. Apple ID Facebook Platform: Authentication Microsoft account OpenID WebAuthn "Why Connecting your YouTube and Google Accounts Matters". YouTube Blog...
iPadOS 17. iPads will now be able to sign into websites that implement WebAuthn using just the user’s passcode or biometrics. On iPads with Apple A12X...
A dynamic web page is a web page constructed at runtime (during software execution), as opposed to a static web page, delivered as it is stored. A server-side...
in some use cases. The development of open standards such as FIDO2 and WebAuthn have further generated adoption of passwordless technologies such as Windows...
contain the queried text. Safari adds Shared Tab Groups and Passkeys, uses WebAuthn for password-less account management, gets a redesigned sidebar, and gains...
Settings and the Lockdown mode's Web Browsing setting. Passkeys allows the user to authenticate to services that implement WebAuthn across their devices without...
authentication (2FA): OnlyKey supports various 2FA protocols including FIDO2 WebAuthn, FIDO U2F, TOTP, Yubico OTP, and Challenge-response. When logging in to...
details." WebAuthn BrowserID Central Authentication Service Information Card Light-weight Identity OAuth OpenID Connect Single sign-on WebID FIDO Alliance...
hardware tokens like Feitian C200, the Yubikey by Yubico or other U2F/WebAuthn devices. Many smartphone apps compliant with HOTP and TOTP are also supported...
methods which can defeat many of the typical systems. MFA schemes such as WebAuthn address this issue by design. Organizations that prioritize security over...
is the direct module interface to web servers such as the Apache HTTP Server, Microsoft IIS, and Oracle iPlanet Web Server. In other words, SAPI is an...
occurs. The Credential Management API has already been extended by the WebAuthn (Web Authentication) proposal, which reached Candidate Recommendation status...
Proposed Recommendation for Web Authentication: An API for accessing Public Key Credentials. Web Authentication (WebAuthn), an interface for public-key...
(68 ESR), improved web page painting performance by avoiding redundant calculations during paint, and introduction of WebAuthn (the Web Authentication API...
security concerns. The World Wide Web Consortium (W3C) Web Authentication Working Group developed the WebAuthn (Web Authentication) API to replace the...
The Improving Web Advertising Business Group (IWABG) is a subcommittee of the World Wide Web Consortium with a focus on online advertising. In January...