What is WebAuthn?


WebAuthn (short for Web Authentication) is an API specification that enables applications to use strong and secure authentication methods for user registration and login. It provides a way for end users to authenticate themselves using hardware- or software-based authenticators, such as USB security keys or secure hardware elements integrated with a laptop or mobile device, instead of relying solely on passwords.

These authenticators rely on public-key cryptography to provide secure registration and authentication of accounts. To achieve this, the user completes a registration ceremony to associate an authenticator device with their account, which generates a public-private key pair.

The private key is stored securely on the user’s device while the public key is registered with the web application server. During login the user verifies their identity by completing an authentication ceremony registered device, and the server validates the signature using the previously registered public key.

As a developer you can use WebAuthn to provide your users with a more secure and user-friendly authentication mechanism. It is supported by most modern web browsers and platforms, and open-source libraries and identity platforms streamline integration with your existing authentication flow.

What are passkeys?

The public-private key pair generated by an authenticator is the user’s credential in WebAuthn world, as opposed to a more traditional username and password. The term “passkey” started as a way to describe WebAuthn credentials that can be synced between devices using an external mechanism, but it has since become the common way to refer to any WebAuthn credential.

Syncing passkeys

WebAuthn is focused on registering and authenticating using passkeys that are tied to a single device, and syncing passkeys between devices is outside the scope of the WebAuthn specification. As WebAuthn gained traction, some people started to wonder, “What happens if I lose or replace the device that contains my passkeys?”

One option is to register passkeys on two devices: one that is carried for everyday use and another that is kept in a secure location as a backup. That solution is cumbersome, and most people are not going to bother.

Enter large platform and operating system companies. They use their own secure channels to sync passkeys across multiple user devices in the background making them available across all a user’s compatible devices and eliminating the need for a separate backup authenticator. For example, Apple uses its iCloud Keychain and Google uses Google Password Manager to make passkeys available across devices.