WebAuthn (Web Authentication) is a web standard that enables authentication using public key cryptography rather than passwords. Developed by the W3C and FIDO Alliance, WebAuthn allows users to log in to websites and applications using biometrics, security keys, or device-based credentials, reducing reliance on passwords and mitigating many password-related risks.
The password problem
Passwords have been the default authentication method for decades, but they come with fundamental weaknesses. People reuse passwords across services, creating cascading vulnerabilities when any single service is breached. They choose weak passwords that are easy to guess or crack. They fall for phishing attacks that trick them into entering credentials on fraudulent sites. And they forget passwords, creating friction and support burdens.
These problems aren't solved by making passwords more complex or requiring frequent changes, research shows that such policies often make security worse by encouraging predictable patterns and written-down credentials. The fundamental issue is that passwords are shared secrets: both you and the service know the password, and anyone who learns it can impersonate you.
How WebAuthn works
WebAuthn replaces shared secrets with public key cryptography. When you register with a WebAuthn-enabled service, your device generates a unique key pair: a private key that never leaves your device and a public key that's shared with the service. To authenticate, your device proves it holds the private key by signing a challenge from the service, without ever transmitting the key itself.
This approach eliminates entire categories of attacks. There's no password to phish because there's no password to begin with. There's no credential database to breach because the service only stores public keys, which are useless without the corresponding private keys, which are locked in users' devices. There's no credential to reuse across services because each registration creates a unique key pair.
Authenticator types
WebAuthn supports various types of authenticators, tailored to meet user needs and security requirements. Platform authenticators are built into devices, such as the fingerprint sensor on your laptop, Face ID on your phone, and Windows Hello on your PC. These provide convenient, everyday authentication using biometrics or device PINs.
Roaming authenticators are separate hardware devices, like USB security keys, that can be used across multiple computers. These provide higher assurance for sensitive accounts and work even on shared or untrusted devices. Some organizations require roaming authenticators for administrative access or high-value transactions.
Both types can provide strong, phishing-resistant authentication. The key difference is portability: platform authenticators are tied to specific devices, while roaming authenticators travel with the user.
Phishing resistance
One of WebAuthn's most significant properties is its resistance to phishing. When you authenticate, your device cryptographically binds the authentication to the specific website requesting it. If an attacker creates a fake login page at a lookalike domain, your authenticator won't recognize it as the legitimate site and won't provide credentials.
This protection happens automatically, without requiring users to scrutinize URLs or make security judgments. The cryptographic binding makes phishing attacks technically infeasible rather than relying on user vigilance.
WebAuthn and digital identity
WebAuthn is increasingly recognized as essential infrastructure for digital identity systems. NIST’s SP 800-63B highlights WebAuthn/FIDO2 as a phishing-resistant authentication approach (through verifier-name binding). The FIDO Alliance provides certification programs that verify implementations meet security requirements.
For digital identity ecosystems, WebAuthn provides the secure authentication layer that protects access to wallets and credentials. When you unlock your digital wallet to present a mobile driver's license, WebAuthn-based authentication ensures that only you can access your credentials. This device-level security complements the cryptographic protections built into the credentials themselves.
Want to keep learning?
Subscribe to our blog.
