A Big Day for the Internet: W3C Standardizes WebAuthn

Today’s standardization of WebAuthn by the World Wide Web Consortium (W3C) marks a milestone in the history of open authentication standards and internet security, and Yubico is excited to be a part of it. Through close collaboration with the global internet standards community and the internet giants, Google and Microsoft, we achieved the near-impossible: the creation of a global standard for web authentication that is on track to be supported by all platforms and browsers.

With much of our personal and business lives now online, the need for stronger security has never been more important to protect our digital identities. With WebAuthn, we are addressing the problem behind the vast majority of security breaches — account takeovers due to stolen online credentials.

We have invested considerable time from our engineering staff in the development of this new standard. Including being one of nine Specification Editors, being one of two co-chairs for the W3C WebAuthn group, and having six working group members. When I asked one of our engineers from this group how he liked his job, he responded, “It’s one of the most interesting and scary projects I’ve ever had. We are writing code that will impact the internet security of billions of people, so we feel the responsibility to get this right!”

From start to finish, the WebAuthn spec development has been more than a three-year process, but for Yubico, this is a culmination of more than a decade of innovation and seven years of standards work. Starting first with FIDO U2F, then FIDO2 and now WebAuthn, these standards are a natural evolution built upon each other to bring together new important security capabilities for the modern web:

Driverless, one-touch authentication with a single authenticator that can be used across any number of services with no shared secrets.

Public key cryptography to defend against phishing and man-in-the-middle attacks at scale.

Single-factor, multi-factor and passwordless authentication for web and mobile applications.

WebAuthn recognizes the importance of security keys as well as platform authenticators, such as built-in biometric sensors, by embracing broad support for a choice of authentication devices and modalities. Yubico supports this approach because it fosters widespread adoption of stronger authentication. We contributed to this standard to help as many people as possible stay safe online. Moving forward, the YubiKey will be valued as a high-privacy, high-security authentication choice. In addition, it will take on the important role of the Root of Trust, enabling seamless bootstrapping to new devices and rapid recovery from lost and stolen devices when built-in authenticators are not enabled or no longer accessible.

Microsoft Edge, Mozilla Firefox, Google Chrome and Google Android have already added support for WebAuthn. And Apple Safari is actively testing the API. Additionally, Microsoft Accounts and Dropbox have WebAuthn support. Many more online services will soon follow.

Since FIDO U2F was first launched in Gmail in 2014, Yubico has provided free open source code, and guided the vast majority of online services integrating the standard. We continue this work with WebAuthn. Developers and online services can rapidly add support, including “upgrading” from an existing U2F deployment. By signing up to join the Yubico Developer Program to be informed on the latest reference documentation, testing tools and open source servers.

Individuals and companies who want easy, secure access to their daily online accounts — including those in financial, healthcare, and government services — can accelerate adoption by requesting support for YubiKey and WebAuthn. WebAuthn works with all existing U2F and FIDO2 YubiKeys.

WebAuthn standardization is the foundation for the first-ever web authentication standard designed with scalable public key cryptography and phishing protections. Now we can all help to make the internet safer for everyone.

Talk to our teamTalk to our team

Share this article:


  • Platform independent digital identity for all Many are understandably concerned that the great invention called the Internet, initially created by researchers for sharing information, has become a major threat to democracy, security and trust. The majority of these challenges are caused by stolen, misused or fake identities. To mitigate these risks, some claim that we have to choose between security, usability […]Read moreDigital IdentityEUDIFounderStina Ehrensvard
  • Q&A with Yubico’s CEO: Our move to the main Nasdaq market in StockholmAs 2024 draws to a close, it’s the perfect time to reflect on the incredible journey we’ve had this year and how it has shaped where we stand today as a company. To mark this moment, I sat down with our CEO, Mattias Danielsson, to look back on the milestones and achievements of 2024—culminating in […]Read moreCEOMattias Danielsson
  • Exploring DORA: A look at the next major EU mandateFinancial institutions have historically managed operational risk using capital allocation, but under EU Regulation 2022/2554 – also known as the Digital Operational Resilience Act (DORA) – the financial sector and associated entities in the European Economic Area (EEA) must also soon follow new rules. These new rules focus on the protection, detection, containment, and the […]Read moreDORAEU
  • Securing critical infrastructure from modern cyber threats with phishing-resistant authenticationAcross the globe, 2024 has seen a whirlwind of change. With ongoing wars, recent political change-ups and more, growth in data breaches targeting critical infrastructure continue to be on the rise. Critical infrastructure is integral to our everyday life – from the energy and natural resources powering our hospitals and providing clean drinking water, telco […]Read moreCISAcritical infrastructurezero trust