Web Authentication (WebAuthn)

Web Authentication, or WebAuthn, is an effort by the World Wide Web Consortium (W3C) to standardize public-key authentication of users to web-based application and services. Contributing to this effort is the FIDO Alliance.

 

WebAuthn goal is to increase security for the authentication process by removing or complementing password-based authentication on the one hand, while remaining convenient and easy to use for end-users.

The standard defines web-browser API for the creation and use of PKI-based authentication credentials, to enable online services to offer password-less and multi-factor authentication. Users register their device to the online service and authenticate using a local mechanism such as swiping a finger, looking at the camera, speaking into the mic, entering a PIN, etc. “Under the hood” a cryptographic challenge-response authentication mechanism is invoked between the relying party and the local authenticator.

WebAuthn is designed so that it can work with a range of public-key authenticator mechanisms.

WebAuthn is currently supported by Firefox and Chrome and enabled by default.

Frequently Asked Questions
Does WebAuthn use passwords?

WebAuthn can be used with passwords, or without, because it does not require the use of passwords.

What are the applications of WebAuthn?

WebAuthn can be used in any number of web authentication scenarios. It is implemented in Google Chrome and Mozilla Firefox to allow password-free or strong authentication to web services and applications. Another application of the standard is Windows Hello. Dropbox also announced support for WebAthn logins.

Which devices are supported by WebAuthn?

FIDO U2F Security Keys are largely compatible with the WebAuthn standard. A current list of FIDO U2F certified products is available at https://fidoalliance.org/certification/fido-certified-products/