WebAuthn (Web Authentication API) is a W3C web standard that enables passwordless authentication and phishing-resistant multi-factor authentication using public-key cryptography. It allows users to authenticate to online services using platform authenticators (like a device's built-in fingerprint sensor or facial recognition) or roaming authenticators (external hardware security keys like a YubiKey). The protocol replaces shared secrets (passwords) with unique cryptographic key pairs, where the private key is securely stored on the user's device and never leaves it.
Glossary
WebAuthn

What is WebAuthn?
WebAuthn is the core web standard enabling passwordless authentication, allowing users to log in using biometrics or security keys instead of traditional passwords.
For developers, WebAuthn integrates via a JavaScript API where the relying party (the website or service) requests authentication by specifying the type of challenge (registration or assertion). The authenticator creates a public key credential containing a signature that proves possession of the private key without revealing it. This process is foundational for FIDO2 and is a critical component in modern zero-trust architectures, eliminating entire classes of attacks like credential stuffing and man-in-the-middle phishing by tying authentication directly to a specific device and origin.
Key Features of WebAuthn
WebAuthn (Web Authentication API) is a core component of the FIDO2 project, enabling strong, phishing-resistant authentication on the web via public-key cryptography. It replaces passwords with cryptographic credentials tied to physical authenticators.
Passwordless Authentication
WebAuthn enables passwordless login by replacing shared secrets with unique cryptographic key pairs. Users authenticate using a possession factor (like a security key or phone) combined with a biometric (fingerprint, face scan) or PIN. This eliminates credential stuffing, phishing, and database breach risks associated with passwords. For example, a user can log into a service by simply inserting a YubiKey and touching it.
Public Key Cryptography
At its core, WebAuthn uses asymmetric cryptography. During registration, the authenticator generates a unique public-private key pair for each website (relying party). The private key never leaves the secure hardware of the authenticator, while the public key is sent to the server. For authentication, the server sends a cryptographic challenge; the authenticator signs it with the private key, and the server verifies the signature with the stored public key.
Phishing Resistance
WebAuthn credentials are scoped to a specific origin (e.g., https://bank.example.com). An authenticator will not sign a challenge from a phishing site (https://b4nk-example.com) because the origin does not match. This cryptographic binding to the site's domain makes stolen credentials useless on fake sites, providing a fundamental defense against phishing attacks that target passwords and OTP codes.
Authenticator Types
WebAuthn supports a range of authenticators, classified by their attachment and verification methods:
- Platform Authenticators: Integrated into the user's device (e.g., Touch ID on macOS, Windows Hello, Android fingerprint sensor).
- Cross-Platform (Roaming) Authenticators: Portable hardware tokens that connect via USB, NFC, or Bluetooth (e.g., YubiKey, Google Titan Key).
- Verification methods include user presence (a button press) and user verification (biometric or PIN).
Attestation & Enterprise Management
Attestation is an optional process where the authenticator provides a cryptographically signed statement about its make and model (e.g., "YubiKey 5 Series") during registration. This allows enterprises to enforce authenticator policy, restricting login to specific, trusted hardware. For example, a company can mandate that only FIDO2-certified security keys from an approved vendor list can be used to access corporate systems.
Resident Keys & Usernameless Flow
A resident key (or discoverable credential) is a private key stored persistently on the authenticator, along with user information like a user handle. This enables a usernameless authentication flow: the user simply plugs in their key, and the site presents a list of accounts associated with that key. The user selects their account and verifies with a biometric, completing login without typing a username or password.
Frequently Asked Questions
WebAuthn is the core web standard enabling passwordless authentication. These FAQs address its technical mechanisms, security properties, and integration within modern authentication architectures.
WebAuthn (Web Authentication API) is a W3C web standard that enables passwordless authentication on websites and applications using public-key cryptography. It works by having a user's device (like a security key, smartphone, or biometric sensor) generate a unique cryptographic key pair for each website. During registration, the public key is sent to the relying party (the website) and stored, while the private key remains securely on the user's authenticator. For subsequent logins, the website sends a challenge; the authenticator signs this challenge with the private key, and the website verifies the signature with the stored public key, proving the user's possession of the authenticator without transmitting a password.
This process, part of the larger FIDO2 project, eliminates shared secrets and is fundamentally resistant to phishing, as the cryptographic signature is bound to the specific website's origin.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
WebAuthn operates within a broader ecosystem of modern authentication and authorization standards. These related protocols and concepts define how identity is established, verified, and managed in secure systems.
Public Key Cryptography
Public key cryptography (or asymmetric cryptography) is the cryptographic foundation of WebAuthn. It uses a mathematically linked key pair: a private key (kept secret) and a public key (shared openly).
- During registration, a new key pair is generated by the authenticator. The public key is sent to the relying party (the website), while the private key never leaves the secure authenticator.
- During authentication, the relying party sends a challenge. The authenticator signs this challenge with the private key, and the relying party verifies the signature using the stored public key.
- This eliminates shared secrets (like passwords) and enables strong cryptographic proof of identity.
Multi-Factor Authentication (MFA)
Multi-Factor Authentication is a security mechanism that requires a user to present two or more distinct verification factors. WebAuthn authenticators can satisfy multiple factors in a single gesture.
- Knowledge Factor: Something you know (e.g., a PIN or password to unlock the authenticator).
- Possession Factor: Something you have (e.g., the physical security key or registered device).
- Inherence Factor: Something you are (e.g., a biometric like a fingerprint or face scan).
- A WebAuthn login using a device PIN + biometric scan is a two-factor authentication (2FA) process, combining possession and inherence.
Relying Party
In the WebAuthn specification, the Relying Party is the entity that registers and authenticates users—typically, the web application or service (e.g., example.com). Its responsibilities include:
- Registration: Requesting the creation of a new public key credential, storing the public key and credential ID, and associating them with a user account.
- Authentication: Requesting an assertion (signature) from an existing credential to verify a user's identity.
- Policy Enforcement: Defining acceptable authenticator types (e.g., platform vs. cross-platform) and requiring user verification (PIN/biometric).
Authenticator
An Authenticator is the hardware or software component that creates and stores the private key and performs the cryptographic operations for WebAuthn. There are two primary types:
- Platform Authenticator: Integrated into a user's device (e.g., Touch ID on Mac, Windows Hello, Android device biometrics).
- Cross-Platform (Roaming) Authenticator: A removable device that works across multiple platforms (e.g., a YubiKey, Google Titan Key).
- Authentators contain a secure element or Trusted Execution Environment (TEE) to protect private keys from extraction, even if the host operating system is compromised.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us