How does WebAuthn work?
WebAuthn is an API that makes it very easy for a relying party, such as a web service, to integrate strong authentication into applications using support built in to all leading browsers and platforms. This means that web services can now easily offer their users strong authentication with a choice of authenticators such as security keys or built-in platform authenticators such as biometric readers.
Who authored WebAuthn?
WebAuthn was developed under the umbrella of the World Wide Web Consortium (W3C). Yubico along with Microsoft and Google are leading contributors.
A new standard for web authentication
Making it easy to be secure online
Supported by all the leading browsers and web platforms, WebAuthn greatly simplifies and standardizes the integration of strong authentication into web and mobile applications.
Strong authentication the way you like it
WebAuthn makes it easy to offer users strong authentication using a choice of authenticators such as the YubiKey and built-in platform authenticators such as fingerprint sensor.
Going beyond passwords for stronger security
WebAuthn uses asymmetric (public-key) cryptography with phishing protections built into the browser and platform for registering, and authenticating with websites.
WebAuthn + YubiKey
Discover the services that support WebAuthn.
How WebAuthn works
User registers to a web service
The user arrives on a website on their device.
When logging into the website, the application offers the user several options for authentication using native support within all leading browsers and platforms.
User chooses an authenticator
The user can register to the web service using a wide choice of authenticators, including an external authenticator, such as a security key or an authenticator that is built into the platform, such as biometrics (fingerprint, iris scan, facial recognition).
The recommended approach is for the user to first register using an external authenticator that is phishing resistant, and then transfer that trust (bootstrap) to a built-in platform authenticator for subsequent authentication. The benefit of this approach is that if the device is compromised in any way (lost or stolen), then the user still has an external authenticator as a portable root of trust that can be used to quickly onboard a new device and re-authenticate to the web service.
User authenticates to the web service
After the registration step, the user is authenticated to the service on the device.
Once the user has registered to the service they can choose to sign out and sign in again with whichever authenticator is preferred by the user.
Rapid recovery from lost/stolen devices
Allowing users to self-register multiple authenticators to each service makes it possible to rapidly recover from a lost/stolen device.
With WebAuthn, an external authenticator, such as a security key, now becomes a portable root of trust enabling rapid recovery and bootstrapping of new devices.
WebAuthn authenticators—what are my choices?
Built into the computer/phone
Referred to as platform authenticators in the WebAuthn specification:
- Biometrics with TPM or TEE/secure enclave
- Fingerprint reader
- Face/iris/voice recognition
- PIN/pattern/passphrase with TPM or TEE/secure enclave
Referred to as roaming authenticators in the WebAuthn specification:
- Touch sensor with secure element
- PIN and touch sensor with secure element
- Software authenticators
WebAuthn developer resources
With WebAuthn, developers are able to experience rapid deployment of strong authentication capabilities. Yubico provides the following developer resources for rapid integration of WebAuthn.
Open source WebAuthn server
View WebAuthn server
View server libraries
View host libraries
For additional resources, please visit our developer site
Visit Yubico developer site