W3C WebAuthn


W3C WebAuthn (or Web Authentication defines an API enabling the creation and use of strong, attested, scoped, Public Key Credential by web applications, for the purpose of strongly authenticating users.

A Public Key Credential is created and stored by an authenticator at the behest of a W3C WebAuthn Relying Party, subject to user consent. Subsequently, the Public Key Credential can only be accessed by origins belonging to that Relying Party. This scoping is enforced jointly by conforming User-agents and authenticators. Additionally, privacy across Relying Parties is maintained; Relying Parties are not able to detect any properties, or even the existence, of credentials scoped to other Relying Parties.

Relying Parties employ the Web Authentication API during two distinct, but related, ceremonies involving a user.

Functionally, the Web Authentication API comprises a PublicKeyCredential which extends the Credential Management API, and infrastructure which allows those credentials to be used with navigator.credentials.create() and navigator.credentials.get(). The former is used during Registration, and the latter during Authentication.

Broadly, compliant authenticators protect Public Key Credential, and interact with user-agents to implement the Web Authentication API. Some authenticators MAY run on the same client device (e.g., smart phone, tablet, desktop PC) as the user-agent is running on. For instance, such an authenticator might consist of a Trusted Execution Environment (TEE) applet, a Trusted Platform Module (TPM), or a Secure Element (SE) integrated into the client device in conjunction with some means for user verification, along with appropriate driver software to mediate access to these components' functionality. Other authenticators MAY operate autonomously from the client device running the user agent, and be accessed over a transport such as Universal Serial Bus (USB), Bluetooth Low Energy (BLE) or Near Field Communications (NFC).

W3C WebAuthn Working Group have closely coordinated with the FIDO Alliance to ensure that FIDO2 Client To Authenticator Protocol (CTAP) implementations will work well with WebAuthn. We have also closely coordinated with the W3C Credential Management API work.

More Information#

There might be more information for this subject on one of the following: