NEW
Report & API Now Live! Data insights report and open data API endpoints live as of September 23, 2025

Web Authentication: An API for accessing Public Key Credentials Level 1

type
Standard
Documentation

Description

Description
Source

Web Authentication (WebAuthn) is a web standard that enables strong authentication using public key cryptography. It allows web applications to create and use cryptographically secure credentials for user authentication, replacing or supplementing password-based authentication. The API enables websites to register and authenticate users using platform authenticators (like biometric sensors or TPMs built into devices) or roaming authenticators (like USB security keys).

The standard defines a complete authentication framework where credentials are created during a registration ceremony and later used during authentication ceremonies. During registration, the authenticator generates a new public-private key pair and the public key is stored by the website. For subsequent authentications, the authenticator proves possession of the private key by signing a challenge.

Key features include:

  • Strong cryptographic authentication using public key credentials
  • Support for both platform-integrated and external security keys
  • Protection against phishing through origin-binding of credentials
  • Optional attestation to verify authenticator security properties
  • Privacy preservation through scoped credentials
  • Support for multiple authentication factors including biometrics
  • Extensibility through a defined extensions framework

The API is designed to be secure against various attacks while maintaining user privacy. Credentials are scoped to specific origins and cannot be used across different sites. The standard also includes provisions for attestation, allowing websites to verify the security properties and provenance of authenticators being used.

Purpose and Scope:

  • Defines an API for web applications to interact with authenticators
  • Specifies formats for registration and authentication data
  • Details requirements for conforming authenticators
  • Establishes security and privacy requirements
  • Enables strong authentication without shared secrets

Key Technical Specifications:

  • PublicKeyCredential interface extending the Credential Management API
  • AuthenticatorResponse interface for attestation and assertion responses
  • Authenticator Data structure containing signed metadata
  • Attestation formats for verifying authenticator properties
  • CBOR encoding for authenticator communication
  • Support for multiple cryptographic algorithms

Implementation Requirements:

  • Authenticators must implement specified operations:
    • authenticatorMakeCredential for registration
    • authenticatorGetAssertion for authentication
    • Support for user presence/verification
  • Clients must:
    • Mediate between web apps and authenticators
    • Enforce origin restrictions
    • Handle attestation conveyance
    • Process extensions

Security Considerations:

  • Origin-bound credentials prevent phishing
  • User verification requirements configurable
  • Attestation for verifying authenticator security properties
  • Protection against replay attacks using challenges
  • Privacy preservation through scoped credentials

Interoperability Features:

  • Standard attestation formats
  • Common data structures and encodings
  • Defined extension points
  • Cross-platform authenticator support

Current Adoption:

  • Supported in major browsers
  • Growing ecosystem of compatible authenticators
  • Increasing adoption by major web platforms
  • FIDO Alliance certification program

Statistics

Projects Following
Source
0

Under Management at

Project
Website
Source

Projects Following or working on this Standard

If you are featured in the Web of Trust Map and wish to exercise your GDPR rights, including the right to be forgotten, visit the privacy policy page