WebAuthn

Web Authentication
AbbreviationWebAuthn
First published31 May 2016 (2016-05-31)
Latest versionLevel 2 Recommendation
21 April 2021 (2021-04-21)
Preview versionLevel 3 (FPWD)
15 December 2021 (2021-12-15)
OrganizationFIDO2 Project (FIDO Alliance and W3C)
CommitteeWeb Authentication Working Group
Editors
Current editors
  • Jeff Hodges (Google)
  • J.C. Jones (Mozilla)
  • Michael B. Jones (Microsoft)
  • Akshay Kumar (Microsoft)
  • Emil Lundberg (Yubico)
Previous editors
  • Dirk Balfanz (Google)
  • Vijay Bharadwaj (Microsoft)
  • Arnar Birgisson (Google)
  • Alexei Czeskis (Google)
  • Hubert Le Van Gong (PayPal)
  • Angelo Liao (Microsoft)
  • Rolf Lindemann (Nok Nok Labs)
Base standards
  • File API
  • WHATWG Encoding Standard
  • Unicode AUX #29: Text Segmentation
DomainAuthentication

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C).[1][2][3] WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance.[4] The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials (which are themselves FIDO credentials) that are available across multiple devices are commonly referred to as passkeys.[5]

On the client side, support for WebAuthn can be implemented in a variety of ways. The underlying cryptographic operations are performed by an authenticator, which is an abstract functional model that is mostly agnostic with respect to how the key material is managed. This makes it possible to implement support for WebAuthn purely in software, making use of a processor's trusted execution environment or a Trusted Platform Module (TPM). Sensitive cryptographic operations can also be offloaded to a roaming hardware authenticator that can in turn be accessed via USB, Bluetooth Low Energy, or near-field communications (NFC). A roaming hardware authenticator conforms to the FIDO Client to Authenticator Protocol (CTAP),[6] making WebAuthn effectively backward compatible with the FIDO Universal 2nd Factor (U2F) standard.[7]

Like legacy U2F, Web Authentication is resilient to verifier impersonation; that is, it is resistant to phishing attacks,[8] but unlike U2F, WebAuthn does not require a traditional password.[9] Moreover, a roaming hardware authenticator is resistant to malware since the private key material is at no time accessible to software running on the host machine.

The WebAuthn Level 1 and 2 standards were published as W3C Recommendations on 4 March 2019 and 8 April 2021 respectively.[1][10][11] A Level 3 specification is currently a First Public Working Draft (FPWD).[12]

  1. ^ a b Balfanz, Dirk; Czeskis, Alexei; Hodges, Jeff; Jones, J.C.; Jones, Michael B.; Kumar, Akshay; Liao, Angelo; Lindemann, Rolf; Lundberg, Emil (eds.). "Web Authentication: An API for accessing Public Key Credentials Level 1 (latest)". World Wide Web Consortium. Retrieved 4 March 2019.
  2. ^ "Web Authentication Working Group". World Wide Web Consortium. Retrieved 11 May 2018.
  3. ^ Strickland, Jonathan (18 March 2019). "What is WebAuthn". TechStuff. iHeartMedia. 20:35 minutes in. Retrieved 20 March 2019.
  4. ^ "FIDO2 Project". FIDO Alliance. Retrieved 11 May 2018.
  5. ^ "White Paper: Multi-Device FIDO Credentials" (PDF). FIDO Alliance. March 2022. p. 6. Retrieved 20 May 2024.
  6. ^ Brand, Christiaan; Czeskis, Alexei; Ehrensvärd, Jakob; Jones, Michael B.; Kumar, Akshay; Lindemann, Rolf; Powers, Adam; Verrept, Johan, eds. (30 January 2019). "Client to Authenticator Protocol (CTAP)". FIDO Alliance. Retrieved 7 March 2019.
  7. ^ "WebAuthn / CTAP: Modern Authentication" (PDF). World Wide Web Consortium. 10 December 2018. Retrieved 11 March 2019.
  8. ^ Kan, Michael (7 March 2019). "Google: Phishing Attacks That Can Beat Two-Factor Are on the Rise". PC Magazine. Retrieved 8 March 2019.
  9. ^ "Practical passwordless authentication comes a step closer with WebAuthn". Ars Technica. 10 April 2018. Retrieved 16 October 2024.
  10. ^ "W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Logins". World Wide Web Consortium. 4 March 2019. Retrieved 4 March 2019.
  11. ^ Balfanz, Dirk; Czeskis, Alexei; Hodges, Jeff; Jones, J.C.; Jones, Michael B.; Kumar, Akshay; Lindemann, Rolf; Lundberg, Emil, eds. (8 April 2021). "Web Authentication: An API for accessing Public Key Credentials Level 2" (Latest ed.). World Wide Web Consortium. Retrieved 27 November 2022.
  12. ^ Balfanz, Dirk; Czeskis, Alexei; Hodges, Jeff; Jones, J.C.; Jones, Michael B.; Kumar, Akshay; Lindemann, Rolf; Lundberg, Emil, eds. (4 April 2021). "Web Authentication: An API for accessing Public Key Credentials Level 3" (First Public Working Draft ed.). World Wide Web Consortium. Retrieved 24 December 2021.