WebAuthn / Passkeys
A web standard for passwordless, phishing-resistant authentication using public-key cryptography with hardware or platform authenticators.
Description
WebAuthn (Web Authentication) is a W3C standard and a core component of the FIDO2 framework that enables passwordless authentication using public-key cryptography. Instead of passwords, users authenticate using platform authenticators (fingerprint sensors, Face ID, Windows Hello) or roaming authenticators (hardware security keys like YubiKey). The browser's navigator.credentials API mediates the interaction between the web application (relying party) and the authenticator, ensuring credentials are scoped to the specific origin and preventing phishing.
Passkeys are the consumer-friendly evolution of WebAuthn, backed by Apple, Google, and Microsoft. They use discoverable credentials (resident keys) stored in the platform's credential manager and synced across devices via iCloud Keychain, Google Password Manager, or Windows Hello. This solves the hardware key loss problem while maintaining cryptographic security. During registration, the authenticator generates a key pair, stores the private key securely, and returns the public key and credential ID to the server. During authentication, the server sends a challenge, the authenticator signs it with the private key, and the server verifies the signature.
Implementation requires a server-side library (like SimpleWebAuthn for Node.js or py_webauthn for Python) to handle attestation (registration) and assertion (authentication) ceremonies. The relying party must store credential IDs, public keys, and sign counts per user. Verify the origin, challenge, and incrementing sign counter on each authentication to detect cloned authenticators. Support both platform and cross-platform authenticators, and provide fallback authentication methods for users without WebAuthn-capable devices.
Prompt Snippet
Implement WebAuthn registration and authentication using @simplewebauthn/server and @simplewebauthn/browser. During registration, call navigator.credentials.create() with rpName, rpID (your domain), user info, and supported algorithms (ES256, RS256). Store the credentialID, publicKey, and signCount in a credentials table linked to user_id. During authentication, call navigator.credentials.get() with a server-generated challenge, verify the assertion signature, check origin and rpID match, and verify signCount is strictly incrementing. Support discoverable credentials (passkeys) for username-less login. Provide TOTP as fallback for non-WebAuthn browsers.
Tags
Related Terms
Multi-Factor Authentication (MFA)
An authentication method requiring users to provide two or more verification factors from different categories (knowledge, possession, inherence) to gain access.
TOTP (Time-Based One-Time Passwords)
A one-time password algorithm that generates short-lived codes based on a shared secret and the current time, commonly used as a second authentication factor.
Magic Link Authentication
A passwordless authentication method that sends a unique, time-limited login link to the user's email address, granting access when clicked.
Password Hashing (bcrypt/argon2)
The practice of transforming passwords into irreversible hashes using intentionally slow, memory-hard algorithms to protect credentials at rest.
SSO (Single Sign-On)
An authentication scheme that allows users to authenticate once and gain access to multiple independent applications without re-entering credentials.