Security Encyclopedia

Web Authentication (WebAuthn)

Web Authentication (WebAuthn) is an open standard that establishes a uniform interface for passwordless authentication to web-based services using Public-Key Cryptography (PKC). A core component of FIDO2, WebAuthn is a joint initiative of the World Wide Web Consortium (W3C) and the FIDO Alliance, a consortium that works to end our overreliance on passwords.

WebAuthn makes use of a website, called the Relying Party, a browser, called the WebAuthn Client, and a FIDO2-compatible authenticator. FIDO2-compatible authenticators can be FIDO U2F hardware tokens or software tokens (on a smartphone), or a Platform Authenticator such as the Android or Windows Hello operating systems.

A FIDO2 authentication flow is as follows: The website prompts the browser using JavaScript. The browser then communicates with the authenticator using a JavaScript API inside the browser. The user then takes the required action on the authenticator, such as entering a PIN or presenting a biometric. The website receives the signed authentication assertion from the browser, the digital signature on the assertion is verified using the user's trusted public key, and the user gains access.

FIDO2 Certification Badge:


"TLS has brought us a long way in terms of foundational web security. Now, with WebAuthn, we're entering a whole new phase by making MFA widely available for websites that want to make accessing web services far more secure by more reliably tying the user and device with the activity."

FIDO2 Web Authentication Demo: