Web Authentication API


Web Authentication API (WebAuthN) is an API is an extension of the W3C Credential Management API that enables strong authentication with Public Key Cryptography, enabling passwordless authentication and/or secure Multi-Factor Authentication without SMS texts.

Web Authentication API is a W3C approved Standard as of 2019-03-04.

How Web Authentication API Works#


User registers to a Website (WebAuthn Registration)#

The user arrives on a website (WebAuthn Relying Party) on their WebAuthn Client Device.

When logging into the website, the website offers the user several options for authentication using native support within all leading browsers and platforms. (WebAuthn Authentication)

User chooses an authenticator#

The authenticator generally must meet and use the CTAP2 API which is the API used for communication to the Security Key that provide the gesture.

The user can register to the website using a wide choice of authenticators, including an external authenticator, such as a Security Key or an authenticator that is built into the platform, such as biometrics (e.g. Fingerprint recognition, Iris recognition, Facial recognition).

The recommended approach is for the user to first perform WebAuthn Registration with more than one Authenticator, perhaps using Roaming Authenticator that is Phishing resistant, and also perform WebAuthn Registration Platform Authenticator for subsequent authentication. The benefit of this approach is that if the WebAuthn Client Device is compromised in any way (lost or stolen), then the user still has an Roaming Authenticator that can be used to quickly onboard a new WebAuthn Client Device and re-authenticate to the WebAuthn Relying Party.

User authenticates to the website#

After the registration step, the user is authenticated to the service on the device.

Once the user has registered to the website they can choose to Log out and Login again with whichever authenticator is preferred by the user.

Rapid Credential Recovery from lost/stolen Client Device#

Allowing users to self-register multiple authenticators to each service makes it possible to rapidly recover from a lost/stolen device.

With WebAuthN, an external authenticator, such as a Security Key, now becomes a portable Roots of Trust enabling rapid recovery and bootstrapping of new devices.

Web Authentication API Details#

WebAuthn Relying Party employ the Web Authentication API during two distinct, but related, "ceremonies" involving a user.

A Public Key Credential is created and stored by an authenticator at the behest of a WebAuthn Relying Party, subject to user consent. Subsequently, the Public Key Credential can only be accessed by origins belonging to that WebAuthn Relying Party. This scoping is enforced jointly by conforming User-agents and authenticators. Additionally, privacy across Relying Parties is maintained; Relying Parties are not able to detect any properties, or even the existence, of credentials scoped to other Relying Parties.

Relying Parties employ the Web Authentication API during two distinct, but related, ceremonies involving a user.

Functionally, the Web Authentication API comprises a Public Key Credential which extends the Credential Management API, and infrastructure which allows those credentials to be used with navigator.credentials.create() and navigator.credentials.get(). The former is used during Registration, and the latter during Authentication.

Broadly, compliant authenticators protect Public Key Credential, and interact with user-agents to implement the Web Authentication API. Some authenticators MAY run on the same client device (e.g., smart phone, tablet, desktop PC) as the user-agent is running on. For instance, such an authenticator might consist of a Trusted Execution Environment (TEE) applet, a Trusted Platform Module (TPM), or a Secure Element integrated into the WebAuthn Client Device in conjunction with some means for user verification, along with appropriate driver software to mediate access to these components' functionality. Other authenticators MAY operate autonomously from the client device running the user agent, and be accessed over a transport such as Universal Serial Bus (USB), Bluetooth Low Energy (BLE) or Near Field Communications (NFC).

Web Authentication API Working Group have closely coordinated with the FIDO Alliance to ensure that FIDO2 Client To Authenticator Protocol (CTAP) implementations will work well with WebAuthN. We have also closely coordinated with the W3C Credential Management API work.

Relying Parties and Clients#

Relying Parties are web or Native application that wish to consume strong credentials. For Native application may also act as a WebAuthN client to make direct WebAuthN calls. In the web case, the entity that wants to consume the credential cannot directly interact with the Web Authentication API and so must broker the deal through the browser. Do not confuse WebAuthN Relying Party with Federated Relying Party, as there is there is no Single Sign-On WebAuthn Relying Party.

Demo Sites#

webauthn.org and its client source code and server source code (Expired Certificate 2020-05-19)

Registries for Web Authentication (WebAuthn) is now RFC 8809#

Registries for Web Authentication (WebAuthn) is now RFC 8809

Why Web Authentication API (WebAuthN)#

Web Authentication API eliminates Password-based Authentication which implies it also eliminates:


User Experience#

Users unlock cryptographic login credentials with simple built-in methods such as fingerprint readers or cameras on their devices, or by leveraging easy-to-use FIDO Security Keys. Consumers can select the device that best fits their needs.


Web Authentication API Cryptographic Keys are unique for each internet Website, they cannot be used for Tracking users across Websites. Plus, Biometric data, when used, never leaves the user’s Local device.


Websites can enable Web Authentication API through a simple JavaScript API call that is supported across leading browsers and platforms on billions of devices consumers use every day.

Does WebAuthN Replace OAuth?#

No! In fact, Web Authentication API and OAuth work great together! While Web Authentication API can often take the place of using a specific third-party OAuth API for authentication, Web Authentication API isn't trying to solve the same problems OAuth solves.

Web Authentication API ONLY provided Authentication, so if that's all you're using OAuth for (you shouldn't), then you may not need OAuth! But if you're using OAuth in order to access an API, then you'll still need OAuth, as that's how you get an access token.

Web Authentication API may end up replacing the step in OAuth where the user enters their password, since Web Authentication API is a replacement for password authentication. But WebAuthN won't provide an app with an access token to make API requests, since that's not what it's designed for.

More Information#

There might be more information for this subject on one of the following: