Learn the differences between WebAuthn and passkeys and discover how WebAuthn serves as the foundation for passkeys and how it impacts user authentication.
Vincent
Created: August 26, 2024
Updated: August 13, 2025
WebAuthn is a web security protocol developed by the FIDO Alliance, designed to enable secure, passwordless authentication on the web. Passkeys, on the other hand, are a specific implementation of WebAuthn that focuses on providing a user-friendly, secure authentication method by replacing traditional passwords with cryptographic keys stored on a user’s device.
WebAuthn (Web Authentication) is a web standard published by the W3C and supported by major browsers. It enables strong, phishing-resistant authentication by allowing users to sign in with a cryptographic key pair, rather than a password. WebAuthn was developed by the FIDO Alliance (Fast Identity Online) and is a key component of their broader FIDO2 project, which aims to reduce the reliance on passwords.
Passkeys are a technology based on the WebAuthn standard, designed to further simplify the user experience while maintaining high security. Passkeys work by generating and storing a unique cryptographic key pair on a user’s device - typically in hardware security module like the Trusted Platform Module (TPM) or Secure Enclave. When a user attempts to sign in, the website or service sends a challenge, which is signed by the private key stored on the user’s device. This signed challenge is then sent back and verified by the service using the public key.