Start with Identity
Subscribe
Standard · draft

WebAuthn / FIDO2

W3C Web Authentication Level 3W3CLevel 2 Recommendation (2021); Level 3 in progressOfficial spec ↗

What it is

WebAuthn is the W3C browser API for public-key authentication, and FIDO2 is the broader FIDO Alliance specification set (WebAuthn plus the CTAP protocol that talks to authenticators). Together they are the foundation of passkeys and hardware security keys, and they make phishing-resistant authentication practical at scale.

How it works

Instead of a shared secret, the user's device holds a private key and registers a public key with the service. At login, the service sends a challenge, the authenticator signs it after a local user gesture (biometric or PIN), and the service verifies the signature.

  • Origin binding: the credential is bound to the website's origin, so a phishing site cannot use it. This is the core security property.
  • No shared secret: nothing reusable is transmitted or stored server-side, so there is nothing to steal in a breach.
  • Authenticators: platform (Face ID, Windows Hello) or roaming (a YubiKey).

Status

WebAuthn Level 2 is a W3C Recommendation (2021); Level 3 is in progress. Passkeys, built on these standards, are now supported by every major operating system and browser, with billions of accounts enabled.

When to use it

For any account where phishing and account takeover matter, which is most of them. Synced passkeys suit consumers; device-bound passkeys and hardware keys suit high-value and workforce use.

Pitfalls

  • Plan account recovery and enrollment carefully; these are the steps attackers target once passwords are gone.
  • Support more than one authenticator per user, and have a tested fallback.

Related

Guide: Passkeys 101, what is passwordless. Glossary: FIDO2, WebAuthn, passkey. Vendors: MFA and passwordless.

Independent, community-driven reference. Always confirm details against the official specification linked above.