Key points
- W3C standard, supported in every major browser
- Underlies passkeys (synced) and security keys (hardware-only)
- Phishing-resistant by design (origin binding)
- Part of the FIDO2 specification family alongside CTAP
- Replaces passwords for both first- and second-factor scenarios
What it is
WebAuthn is the JavaScript API browsers expose so a website can ask the operating system or a security key, please prove who this user is using a public/private key pair you hold. It's the protocol layer underneath both passkeys and traditional FIDO2 security keys.
How it works
- Registration: site calls
navigator.credentials.create(). The authenticator (Touch ID, Windows Hello, YubiKey) generates a key pair scoped to that origin. The public key is sent to the server. - Authentication: site calls
navigator.credentials.get(). The authenticator signs a server challenge with the private key. The server verifies with the stored public key.
Because the key is bound to the origin (https://example.com), a phishing page on examp1e.com cannot trick the authenticator into signing for it.
When buyers care
- Implementing passwordless or strong second-factor auth
- Meeting CISA / NIST guidance for phishing-resistant MFA
- Anyone building B2B SaaS, fintech, healthcare, or government-facing apps in 2026
Common misconceptions
- WebAuthn ≠ passkeys. Passkeys are credentials created via WebAuthn that are typically synced via iCloud, Google Password Manager, etc. WebAuthn is the protocol; passkeys are one consumer.
- WebAuthn is not just for login. It's also strong for step-up auth on sensitive actions.
FAQ
Do I need WebAuthn if I have passkeys?
Yes — passkeys are implemented using WebAuthn. You build to the WebAuthn API; the OS/browser surfaces passkeys to the user.
Browser support?
Universal in modern browsers since 2019. Safari, Chrome, Edge, Firefox all support it.