<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] ([WebAuthN]) is an [API] is an extension of the [W3C] [Credential Management API] that enables strong [authentication] with [Public Key Cryptography], enabling passwordless [authentication] and/or secure [Multi-Factor Authentication] without [SMS] texts.

[{$pagename}] is a [W3C] approved [Standard] as of [2019|Year 2019]-03-04.!! How [{$pagename}] Works

[{Image src='/images/webauthn-how-it-works.svg' caption='WebAuthn' align ='left' style='font-size: 120%;'}]\\

! User [registers|Credential Enrollment] to a [Website] ([WebAuthn Registration])
The user arrives on a [website] ([WebAuthn Relying Party]) on their [WebAuthn Client Device]. 

When logging into the [website], the [website] offers the user several options for [authentication] using native support within all leading [browsers] and [platforms|Operating System]. ([WebAuthn Authentication])

! User chooses an [authenticator]
The [authenticator] generally must meet and use the [CTAP2] [API] which is the API used for communication to the [Security Key] that provide the gesture.

The user can [register|Credential Enrollment] to the [website] using a wide choice of [authenticators], including an external [authenticator|Roaming Authenticator], such as a [Security Key] or an [authenticator|Platform Authenticator] that is built into the platform, such as [biometrics] (e.g. [Fingerprint recognition], [Iris recognition], [Facial recognition]).

The recommended approach is for the user to first perform [WebAuthn Registration] with more than one [Authenticator], perhaps using [Roaming Authenticator] that is [Phishing] resistant, and also perform [WebAuthn Registration] [Platform Authenticator] for subsequent [authentication]. The benefit of this approach is that if the [WebAuthn Client Device] is compromised in any way (lost or stolen), then the user still has an [Roaming Authenticator] that can be used to quickly onboard a new [WebAuthn Client Device] and re-authenticate to the [WebAuthn Relying Party].

! User [authenticates] to the [website]
After the registration step, the user is authenticated to the service on the device.

Once the user has registered to the [website] they can choose to [Log out|Logout Process] and [Login|WebAuthn Authentication] again with whichever [authenticator] is preferred by the user.

! Rapid [Credential] Recovery from lost/stolen [Client Device]
Allowing users to self-register multiple [authenticators] to each service makes it possible to rapidly recover from a lost/stolen device.

With [WebAuthN], an external [authenticator], such as a [Security Key], now becomes a portable [Roots of Trust] enabling rapid recovery and bootstrapping of new devices.

!! [{$pagename}] Details
[WebAuthn Relying Party] employ the [Web Authentication API] during two distinct, but related, &quot;ceremonies&quot; involving a user.
* [WebAuthn Registration]
* [WebAuthn Authentication]A [Public Key Credential] is created and stored by an [authenticator] at the behest of a [WebAuthn Relying Party], subject to user [consent]. Subsequently, the [Public Key Credential] __can only__ be accessed by origins belonging to that [WebAuthn Relying Party]. This scoping is enforced jointly by conforming [User-agents] and [authenticators]. Additionally, [privacy] across [Relying Parties|Relying Party] is maintained; [Relying Parties|Relying Party] are not able to detect any properties, or even the existence, of [credentials] scoped to other [Relying Parties|Relying Party].

[Relying Parties|Relying Party] employ the [Web Authentication API] during two distinct, but related, ceremonies involving a user. 
* The first is [Registration|Credential Enrollment], where a [Public Key Credential] is created on an [authenticator], and associated by a [Relying Party] with the present user’s account (the account [MAY] already exist or [MAY] be created at this time). 
* The second is [Authentication], where the [Relying Party] is presented with an [Authentication] [Assertion] proving the presence and [consent] of the user who registered the [Public Key Credential]. 
Functionally, the [{$pagename}] comprises a [Public Key Credential] which extends the [Credential Management API], and infrastructure which allows those [credentials] to be used with navigator.credentials.create() and navigator.credentials.get(). The former is used during [Registration|Credential Enrollment], and the latter during [Authentication].Broadly, compliant [authenticators] protect [Public Key Credential], and interact with [user-agents] to implement the Web Authentication [API]. Some [authenticators] [MAY] run on the same client [device] (e.g., smart phone, tablet, desktop PC) as the [user-agent] is running on. For instance, such an [authenticator] might consist of a [Trusted Execution Environment] ([TEE]) applet, a [Trusted Platform Module] ([TPM]), or a [Secure Element] integrated into the [WebAuthn Client Device] in conjunction with some means for user verification, along with appropriate driver software to mediate access to these components' functionality. Other [authenticators] [MAY] operate autonomously from the [client] [device] running the user agent, and be accessed over a transport such as Universal Serial Bus (USB), [Bluetooth Low Energy] ([BLE]) or [Near Field Communications] ([NFC]).[{$pagename}] [Working Group] have closely coordinated with the [FIDO] Alliance to ensure that [FIDO2] [Client To Authenticator Protocol] ([CTAP]) implementations will work well with [WebAuthN]. We have also closely coordinated with the [W3C Credential Management API] work.! [Relying Parties|Relying Party] and [Clients]
[Relying Parties|Relying Party] are [web] or [Native application] that wish to consume strong [credentials]. For [Native application] may also act as a [WebAuthN] [client] to make direct [WebAuthN] calls.  In the [web] case, the [entity] that wants to consume the [credential] cannot directly interact with the [{$pagename}] and so must broker the deal through the [browser].  Do not confuse [WebAuthN] [Relying Party] with [Federated Relying Party], as there is there is no [Single Sign-On] [WebAuthn Relying Party].
* [WebAuthn Relying Party]
* [WebAuthn Client Device]
* [WebAuthn Client]
* [Platform Authenticator]
* [Roaming Authenticator]

!! Demo Sites

* [Auth0|https://webauthn.me/]
* [https://webauthn.io/|https://webauthn.io/]
* [Mozilla Demo website|https://webauthn.bin.coffee/] and its source code.
* [Google Demo website|http://webauthndemo.appspot.com/] and its source code.
* [DebAuthn serves as a debugger for WebAuthN|https://debauthn.tic.udc.es/|target='_blank']
[webauthn.org|https://webauthn.org/] and its client source code and server source code (Expired Certificate 2020-05-19)

!! Registries for Web Authentication (WebAuthn) is now [RFC 8809]
[Registries for Web Authentication|WebAuthn-Registries] (WebAuthn) is now [RFC 8809]

!! Why [{$pagename}] ([WebAuthN])

[{$pagename}] eliminates [Password-based] [Authentication] which implies it also eliminates:
* [Password Reuse]
* [Password Expired]
* [Password-hash]
* [Password Spraying]
* [Password Storage Scheme]
* [Password Management]
* [Brute-Force] [Password] [Attacks]
* [Password Periodic Changes]
* [Password Quality]

! [SECURITY|Security]
* [{$pagename}] [cryptographic] [credentials] are unique across every [website] (ie no [Password Reuse]) 
** [credentials] never leave the user’s [device] 
** [credentials] are never stored on a server. \\
** which eliminates the risks of [phishing]
** which eliminates the all forms of [password theft|Credential Leaked Databases] and [Replay attacks]

! [User Experience]
Users unlock cryptographic login credentials with simple built-in methods such as fingerprint readers or cameras on their devices, or by leveraging easy-to-use FIDO [Security Keys]. Consumers can select the device that best fits their needs.

! [PRIVACY|PrivacyLens]
[{$pagename}] [Cryptographic Keys] are unique for each internet [Website], they cannot be used for [Tracking] users across [Websites]. Plus, [Biometric data], when used, never leaves the user’s [Local device].

! SCALABILITY
[Websites] can enable [{$pagename}] through a simple [JavaScript] [API] call that is supported across leading [browsers] and platforms on billions of devices consumers use every day.

!! Does [WebAuthN] Replace [OAuth]?
__No!__ In fact, [{$pagename}] and [OAuth] work great together! While [{$pagename}] can often take the place of using a specific [third-party] [OAuth] [API] for [authentication], [{$pagename}] isn't trying to solve the same problems OAuth solves.

[{$pagename}] ONLY provided [Authentication], so if that's all you're using [OAuth] for [(you shouldn't)|Not For Identification Purposes], then you may not need OAuth! But if you're using OAuth in order to access an API, then you'll still need OAuth, as that's how you get an access token.

[{$pagename}] may end up replacing the step in OAuth where the user enters their password, since [{$pagename}] is a replacement for password authentication. But [WebAuthN] won't provide an app with an access token to make API requests, since that's not what it's designed for.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Web Authentication API|https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API|target='_blank'] - based on information obtained 2018-11-21- 
* [#2] - [All about FIDO2, CTAP2 and WebAuthN|https://techcommunity.microsoft.com/t5/Identity-Standards-Blog/All-about-FIDO2-CTAP2-and-WebAuthn/ba-p/288910|target='_blank'] - based on information obtained 2019-02-25- 
* [#3] - [Web Authentication: An API for accessing Public Key Credentials Level 1|https://www.w3.org/TR/webauthn/|target='_blank'] - based on information obtained 2018-11-21
* [#4] - [WebAuthN|Wikipedia:WebAuthn|target='_blank'] - based on information obtained 2018-11-21- 
* [#5] - [Web Authentication: An API for accessing Public Key Credentials Level 1|https://www.w3.org/TR/webauthn/|target='_blank'] - based on information obtained 2019-03-05
* [#6] - [What is WebAuthN?|https://www.yubico.com/webauthn/|target='_blank'] - based on information obtained 2019-03-05- 
* [#7] - [fidoalliance.org|https://fidoalliance.org/fido2/|target='_blank'] - based on information obtained 2020-11-25 
</pre>