Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). It defines an API that websites use to authenticate with WebAuthn credentials (passkeys) and outlines what WebAuthn authenticators should do. It solves many of the issues of traditional password-based authentication by verifying the user's identity with digital signatures. Although WebAuthn is often touted as a complete replacement for passwords, most websites that implement it continue to use passwords in some capacity.

To use WebAuthn, users require a compatible authenticator. The standard does not specify how to store the keys required for signing, so a variety of authenticator types can be used. The most common authenticator type is a platform authenticator, which is built into the operating system of the device. Common platform authenticators include Android, Apple Keychain and Windows Hello. These make use of hardware security features (such as TEE and TPM), and often sync credentials between devices for ease-of-use. Another common authenticator type is a roaming authenticator, where a separate hardware device authenticates the user by connecting over USB, Bluetooth Low Energy, or near-field communications (NFC). Most smartphones can be used as roaming authenticators, and dedicated physical security keys are also used. WebAuthn is effectively backward compatible with FIDO Universal 2nd Factor (U2F) as they both use the CTAP protocol. Password managers can also be used as an authenticator, often with cloud sync. Where credentials sync is not viable or possible, WebAuthn Hybrid Transport can be used to access credentials stored on another authenticator such as a smartphone.

Like legacy U2F, WebAuthn is resistant to phishing attacks as the authenticator only offers credentials that were registered on the same website. However, unlike U2F, WebAuthn can be implemented in a passwordless manner. Moreover, a roaming hardware authenticator resists malware, since the keys are stored on a separate device, which prevents the malware from accessing them directly.

The WebAuthn Level 1 and 2 standards were published as W3C Recommendations on 4 March 2019 and 8 April 2021 respectively. A Level 3 specification is currently a First Public Working Draft (FPWD). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance.

FIDO2 is the successor to FIDO Universal 2nd Factor (U2F). Whereas U2F only supports multi-factor mode, having been designed to strengthen existing username/password-based login flows, FIDO2 adds support for single-factor mode. In multi-factor mode, the authenticator is activated by a test of user presence, which usually consists of a simple button push; no password is required. In single-factor mode, the authenticator (something you have) performs user verification. Depending on the authenticator capabilities, this can be:

Regardless of mode, the authenticator never shares its secrets or biometric data with the website. Moreover, a single user's secret or biometric works with all websites, as the authenticator selects the correct cryptographic key material to use for the service requesting authentication after user verification was completed successfully.

A secret and biometric on the authenticator can be used together, similarly to how they would be used on a smartphone. For example, a fingerprint provides convenient access to user's smartphone, but occasionally fingerprint access fails, in which case user can use a PIN.

The W3C designed and standardized WebAuthn to solve or mitigate many issues that are inherent to traditional password-based authentication: