---
url: 'https://www.corbado.com/glossary/webauthn'
title: 'WebAuthn'
description: 'Discover WebAuthn, a web standard introduced for simplifying and standardizing passwordless user authentication.'
lang: 'en'
keywords: 'webauthn'
---

# WebAuthn

## What Is WebAuthn?

WebAuthn is a web standard introduced by the World Wide Web Consortium (W3C) aimed at
simplifying and standardizing strong user authentication online. It offers a simplified
and secure way for users to log in to websites and applications without the need for
passwords, instead using biometrics or
[hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys).

## Key Takeaways

> - WebAuthn is a web standard for passwordless user authentication.
> - It supports a variety of [authenticators](https://www.corbado.com/glossary/authenticator) like biometric
>   readers and hardware security keys (e.g. [YubiKeys](https://www.corbado.com/glossary/yubikey)).
> - WebAuthn enhances online security, making it resistant to
>   [phishing attacks](https://www.corbado.com/blog/3ds-authentication-failed).

---

### How WebAuthn works

- **User Registration:** The user registers on a web service, and during the registration,
  they are provided with multiple authentication options supported by WebAuthn. They can
  choose from external [authenticators](https://www.corbado.com/glossary/authenticator) like
  [hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys) (e.g.
  [YubiKeys](https://www.corbado.com/glossary/yubikey)) or built-in platform
  [authenticators](https://www.corbado.com/glossary/authenticator) like biometrics (e.g.
  [Face ID](https://www.corbado.com/faq/is-face-id-passkey), Touch ID, [Windows Hello](https://www.corbado.com/glossary/windows-hello)).
- **User Authentication:** After registration, users can authenticate to the web service
  using their chosen [authenticator](https://www.corbado.com/glossary/authenticator). This authentication process
  is simple and secure, providing a robust defense against [phishing](https://www.corbado.com/glossary/phishing)
  and other online threats.

### Origin and Development

WebAuthn was developed under the W3C with significant contributions from companies like
Yubico, Microsoft, and Google. It is a part of the [FIDO2](https://www.corbado.com/glossary/fido2) project, and
its development aimed at moving beyond passwords to offer stronger and more
[user-friendly authentication](https://www.corbado.com/faq/passkey-user-experience-benefits-non-technical-audience)
mechanisms.

---

## WebAuthn FAQs

### WebAuthn vs. Passkeys? What is the Difference?

While WebAuthn lays down the framework for utilizing private keys for authentication,
passkeys are a specific implementation of this framework, tailored for easy user
interaction and broad application.

### How does WebAuthn enhance security?

WebAuthn uses public-key cryptography to provide strong authentication, making it
resistant to [phishing](https://www.corbado.com/glossary/phishing) and other common online attacks.

### What are the types of authenticators supported by WebAuthn?

WebAuthn supports a variety of authenticators including
[hardware security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys) (e.g.
[YubiKeys](https://www.corbado.com/glossary/yubikey)), fingerprint readers, and other biometric or platform
built-in authenticators.

### How does WebAuthn work with FIDO and U2F?

WebAuthn is a core component of the [FIDO2](https://www.corbado.com/glossary/fido2) project and is backward
compatible with FIDO Universal 2nd Factor (U2F), providing a standardized interface for
user authentication.

### Can WebAuthn work without a roaming hardware authenticator?

Yes, WebAuthn supports software or platform authenticators as well, offering flexibility
in the choice of [authenticator](https://www.corbado.com/glossary/authenticator) used for secure login.

### WebAuthn vs OAuth? What's the difference?

WebAuthn is a web standard for
[passwordless authentication](https://www.corbado.com/glossary/passwordless-authentication) using hardware
security tokens (e.g. YubiKeys) or biometrics(e.g. [Face ID](https://www.corbado.com/faq/is-face-id-passkey),
Touch ID, [Windows Hello](https://www.corbado.com/glossary/windows-hello)), whereas OAuth is an authorization
framework that allows third-party applications to access services on behalf ofusers. While
WebAuthn is focused on user authentication, OAuth handles authorization and access
delegation.

### WebAuthn vs U2F? What's the difference?

WebAuthn and U2F (Universal Second Factor) bothrelate to user authentication, but WebAuthn
supports both single-factor andmulti-factor authentication using various methods like
biometrics (e.g. FaceID, Touch ID, [Windows Hello](https://www.corbado.com/glossary/windows-hello)), while U2F
primarily supports [two-factor authentication](https://www.corbado.com/blog/passkeys-vs-2fa-security) through
physical hardware security tokens like USB devices (e.g. YubiKeys).

### WebAuthn vs OTP? What's the difference?

WebAuthn facilitates [passwordless authentication](https://www.corbado.com/glossary/passwordless-authentication)
using public-key cryptography, while OTP (One-Time Password or Passcode) is a time-based
code used alongside passwords for
[two-factor authentication](https://www.corbado.com/blog/passkeys-vs-2fa-security). Unlike OTP, WebAuthn offers a
more secure, [phishing](https://www.corbado.com/glossary/phishing)-resistant method of authentication without
needing additional code input.

### WebAuthn vs FIDO? What's the difference?

WebAuthn is a component of the broader [FIDO2](https://www.corbado.com/glossary/fido2) standard aimed at
passwordless authentication. While FIDO2 encompasses both web (WebAuthn) and local device
authentication (client-to-[authenticator](https://www.corbado.com/glossary/authenticator) protocol; CTAP),
WebAuthn specifically pertains to web-based authentication using public-key cryptography.

### What’s a WebAuthn example?

Various websites and apps have WebAuthn already implemented in their authentication flows.
To see an updated list of the services, please have a look
[here](https://state-of-passkeys.io/).

### What’s a WebAuthn backend?

The WebAuthn backend is the server-side implementation that processes authentication
requests, verifies credentials, and manages public key and user data. It is responsible
for securely storing the public keys associated with registered users and verifying the
signatures generated by the authenticator during the login process.

### What’s a WebAuthn demo?

To see an up-to-date WebAuthn demo, you can check out this
[demo page](https://passkeys.eu/).

### Does WebAuthn use Yubikeys?

WebAuthn can be utilized with YubiKeys to enable passwordless login or
[two-factor authentication](https://www.corbado.com/blog/passkeys-vs-2fa-security) on websites, enhancing
security. The [YubiKey](https://www.corbado.com/glossary/yubikey) acts as an external, roaming authenticator that
can generate and store cryptographic keys, allowing users to authenticate to services
securely.

### What is the WebAuthn API?

WebAuthn API, also called Web Authentication API, is a standard interface allowing
developers to integrate
[passwordless authentication](https://www.corbado.com/glossary/passwordless-authentication) using
[public key cryptography](https://www.corbado.com/glossary/public-key-cryptography) in their applications. This
API enables the creation and use of strong, attested, scoped, public key-based credentials
by web applications, for the purpose of strongly authenticating users.

### How does WebAuthn with a QR Code work?

WebAuthn QR codes could be used to initiate a WebAuthn authentication process on a
different device. This allows to use the credentials stored on one device to be used on
another device. The first device scans a [QR code](https://www.corbado.com/blog/qr-code-login-authentication)
being displayed on the second device, so that the first device’s credentials can be used.
To further strengthens security and prevent phishing, the proximity of the two devices is
verified via Bluetooth. The passkey from the first device is not stored on the second
device.

### What is WebAuthn HMAC-Secret?

[HMAC-Secret](https://www.corbado.com/glossary/hmac-secret) is an extension in WebAuthn allowing shared secret
generation using the authenticator, enhancing privacy and security. It provides a way to
derive shared secrets from the [authenticator's](https://www.corbado.com/glossary/authenticator) key, which can
be used for additional purposes like encryption or integrity checking.

### How does WebAuthn work with Hardware Security Keys?

WebAuthn can work with hardware security keys like YubiKeys to provide a secure method of
authentication by verifying the user's possession of the hardware
[security key](https://www.corbado.com/glossary/security-key). The hardware security keys generates cryptographic
credentials that are sent to the server for verification, ensuring a secure and
passwordless authentication experience.

### What’s a WebAuthn authenticator?

A WebAuthn authenticator is a device or software that generates and manages cryptographic
credentials, like biometric scannersor hardware security keys. Authenticators can be built
into the user's device(platform authenticators) or be removable and usable across many
devices (roaming authenticators).

### What is WebAuthn attestation?

WebAuthn [attestation](https://www.corbado.com/glossary/attestation) is a process where the authenticator
provides a certificate to the server during registration, helping verify the authenticity
of the authenticator. This certificate, signed by the
[authenticator's](https://www.corbado.com/glossary/authenticator) manufacturer, helps the server trust the
authenticity and integrity of the authenticator.

### What is WebAuthn Level 3?

[WebAuthn Level 3](https://www.corbado.com/blog/passkeys-prf-webauthn) is the third revision of the WebAuthn
specification documents which is currently work in progress. See the latest version
[here](https://www.w3.org/TR/webauthn-3/).

### How does WebAuthn work with multiple devices?

WebAuthn allows for the usage of multiple devices by having separate registrations for
each device (and often browser), enabling users to use various authenticators. This
facilitates flexibility and ensures users can authenticate across different devices and
platforms seamlessly. Moreover, passkeys make use of their synchronization features across
cloud accounts or password managers, which is also a kind of using WebAuhn credentials
across multiple devices.

### What is WebAuthn User Verification?

[User Verification](https://www.corbado.com/blog/webauthn-user-verification) in WebAuthn is the process of
verifying the user's identity, like using biometrics (e.g.
[Face ID](https://www.corbado.com/faq/is-face-id-passkey), Touch ID, WindowsHello) or a PIN, before generating or
using a credential. This step ensures that the individual initiating the authentication
process is the legitimate owner of the authenticator, enhancing security.