History of WebAuthn
WebAuthn is an open standard that was developed as a joint effort by the FIDO Alliance and the World Wide Web Consortium (W3C). It was first proposed in 2013 as a way to provide secure authentication on the web without requiring passwords.
WebAuthn officially became a W3C standard in 2019. Since then, it has been widely adopted by many major websites and services including Google, Facebook, and Microsoft. In addition, most major browser vendors have added WebAuthn support to their browsers such as Chrome, Firefox, Edge, and Safari.
The W3C has published two versions of the WebAuthn specification as Recommendations. A third version is an active Working Draft. Given the rapid pace the standard is evolving and involvement from tech companies like Apple and Google, some proposed features from the Editor’s Draft of the Level 3 Standard, which contains the latest updates, are already available in browsers like Chrome and Safari.
- Level 1 Standard - The WebAuthn Level 1 Standard was published as a W3C Recommendation on March 4, 2019.
- Level 2 Standard - The WebAuthn Level 2 Standard was published as a W3C Recommendation on April 8, 2021.
- Level 3 Standard - A Level 3 specification was published as a First Public Working Draft (FPWD) on April 27, 2021.
The Rise of Passwordless Authentication
The development of WebAuthn was motivated by the industry’s need for a more secure and user-friendly authentication mechanism.
- Security: Passwords are often vulnerable to phishing, credential stuffing, and brute force attacks. WebAuthn uses public-key credentials scoped to a specific domain along with optional verification to authenticate users, eliminating the need for passwords.
- User Experience: It can be difficult for users to manage all of their unique passwords across multiple websites and applications. Forgotten passwords lead to locked accounts, password resets, and the headaches that go along with them. WebAuthn enables a true passwordless experience.