What is WebAuthn?

WebAuthn is a new W3C global standard for secure authentication on the Web supported by all leading browsers and platforms.

WebAuthn keeps you safe online

WebAuthn makes it easy to offer users a choice of authenticators to protect their accounts, including security keys, and built-in platform biometric sensors.

The average user has 90 online accounts to manage. WebAuthn makes it easier to protect online accounts.

WebAuthn offers stronger account security than just a username and password. Stolen passwords account for 81% of breaches with each breach costing an organization an average of $3.9M.*

*Source: Verizon 2017 Data Breach Investigations report

How does WebAuthn work?

WebAuthn is an API that makes it very easy for a relying party, such as a web service, to integrate strong authentication into applications using support built in to all leading browsers and platforms. This means that web services can now easily offer their users strong authentication with a choice of authenticators such as security keys or built-in platform authenticators such as biometric readers.

Who authored WebAuthn?

WebAuthn was developed under the umbrella of the World Wide Web Consortium (W3C). Yubico along with Microsoft and Google are leading contributors.

A new standard for web authentication

Making it easy to be secure online

Supported by all the leading browsers and web platforms, WebAuthn greatly simplifies and standardizes the integration of strong authentication into web and mobile applications.

Strong authentication the way you like it

WebAuthn makes it easy to offer users strong authentication using a choice of authenticators such as the YubiKey and built-in platform authenticators such as fingerprint sensor.

Going beyond passwords for stronger security

WebAuthn uses asymmetric (public-key) cryptography with phishing protections built into the browser and platform for registering, and authenticating with websites.

WebAuthn + YubiKey

Discover the services that support WebAuthn.

Microsoft logo
onelogin logo
PingIdentity logo

How WebAuthn works

User registers to a web service

The user arrives on a website on their device.

When logging into the website, the application offers the user several options for authentication using native support within all leading browsers and platforms.

User chooses an authenticator

The user can register to the web service using a wide choice of authenticators, including an external authenticator, such as a security key or an authenticator that is built into the platform, such as biometrics (fingerprint, iris scan, facial recognition).

The recommended approach is for the user to first register using an external authenticator that is phishing resistant, and then transfer that trust (bootstrap) to a built-in platform authenticator for subsequent authentication. The benefit of this approach is that if the device is compromised in any way (lost or stolen), then the user still has an external authenticator as a portable root of trust that can be used to quickly onboard a new device and re-authenticate to the web service.

User authenticates to the web service

After the registration step, the user is authenticated to the service on the device.

Once the user has registered to the service they can choose to sign out and sign in again with whichever authenticator is preferred by the user.

Rapid recovery from lost/stolen devices

Allowing users to self-register multiple authenticators to each service makes it possible to rapidly recover from a lost/stolen device.

With WebAuthn, an external authenticator, such as a security key, now becomes a portable root of trust enabling rapid recovery and bootstrapping of new devices.

WebAuthn authenticators—what are my choices?

Built into the computer/phone

Referred to as platform authenticators in the WebAuthn specification:

  • Biometrics with TPM or TEE/secure enclave
  • Fingerprint reader
  • Face/iris/voice recognition
  • PIN/pattern/passphrase with TPM or TEE/secure enclave
Security keys

Referred to as roaming authenticators in the WebAuthn specification:

  • Touch sensor with secure element
  • PIN and touch sensor with secure element
  • Software authenticators

Learn more

A big day for the internet: W3C standardizes WebAuthn

10 Things You’ve Been Wondering About FIDO2, WebAuthn, and a Passwordless World

Web Authentication: An API for Accessing Public Key Credentials – Level 1

Try WebAuthn on the Yubico WebAuthn demo site

View the full OS and web browser support matrix for FIDO2/WebAuthn

WebAuthn developer resources

With WebAuthn, developers are able to experience rapid deployment of strong authentication capabilities. Yubico provides the following developer resources for rapid integration of WebAuthn.

Open source WebAuthn server
View WebAuthn server

Server libraries
View server libraries

Host libraries
View host libraries

For additional resources, please visit our developer site
Visit Yubico developer site

Get Started

Find the right Yubikey

Take the quick Product Finder Quiz to find the right key for you or your business.

Get protected today

Browse our online store today and buy the right YubiKey for you.