Glossary / Authentication
WebAuthn
WebAuthn is the W3C browser standard that lets web applications register and authenticate users with public-key credentials held in a device authenticator, forming the web half of FIDO2.
Also: WebAuthn, Web Authentication
Web Authentication is the W3C standard API that browsers expose so websites can create and use public-key credentials. It is the web-facing half of FIDO2, the part an application’s code actually calls, while the CTAP protocol handles communication with the authenticator beneath it.
With WebAuthn, registration creates a key pair bound to the site’s origin and returns the public key to the server. Authentication asks the authenticator to sign a server challenge after a local gesture such as a fingerprint or device PIN. Because the credential is tied to the origin and the private key stays on the device, WebAuthn logins resist phishing and cannot be replayed elsewhere.
Passkeys are WebAuthn credentials. For CIAM teams, WebAuthn is the concrete API that makes passwordless and passkey sign-in possible in the browser.
Sources
- W3C Web Authentication Level 2: https://www.w3.org/TR/webauthn-2/
Related terms
Standards
- W3C Web Authentication (WebAuthn) Level 2