What is WebAuthn – Web Authentication?
WebAuthn (short for Web Authentication) is a web standard developed by the World Wide Web Consortium (W3C) and the FIDO Alliance. It provides a standard API (Application Programming Interface) for web applications to authenticate users without requiring passwords.
WebAuthn enables users to authenticate with public key cryptography and biometrics, such as fingerprint or facial recognition, instead of using a password. The technology uses a FIDO2-compliant authenticator device (e.g. authenton#1), such as a security key, to generate a public-private key pair unique to the user. The private key is stored securely on the authenticator device, while the public key is registered with the web application. When a user logs in, the authenticator device generates a signature that is sent to the web application, which verifies the signature using the previously registered public key.
WebAuthn is designed to provide a stronger level of security than traditional password-based authentication. Because the private key is stored on the authenticator device and not on the server, it is much harder for attackers to steal or guess the user's credentials. In addition, because the user's biometric data is used to authenticate, it is much more difficult for an attacker to impersonate the user.
WebAuthn is supported by most modern web browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari. It is also supported by major platforms such as Android and Windows 10.
Overall, WebAuthn provides a simpler, more secure, and more user-friendly way to authenticate to web applications, without the need for passwords.