Frequently Asked Questions about WebAuthn
The following FAQs briefly introduce some of the terminology relevant to WebAuthn. Included are numerous links to additional information on Wikipedia and other sources.
Q: What is "passwordless authentication?"
Password authentication involves a shared memorized secret (i.e., a password) whereas passwordless authentication does not. In particular, WebAuthn relies on a memorized secret (called a PIN) but that secret is not shared with the website, and so WebAuthn is an example of passwordless authentication.
Q: What's the difference between a password and a PIN?
By definition, a password is a shared memorized secret used in conjunction with password authentication. There is no widely recognized term for a memorized secret that is not shared but it would be a mistake to call such a memorized secret a password. For example, WebAuthn relies on a memorized secret that is not shared. By convention, that secret is called a PIN (not a password). The characters that make up the PIN are completely arbitrary—there is no requirement that the PIN be comprised of digits.
Q: What is WebAuthn?
WebAuthn is short for Web Authentication, which is the formal (albeit lackluster) name of a completely new type of authentication for web-based applications. WebAuthn is strong passwordless authentication for the web.
Nearly all two-factor authentication schemes rely on a password as the first factor. In contrast, WebAuthn does not require a traditional password, yet it still provides strong multi-factor authentication.
Q: How can WebAuthn provide multi-factor authentication without a password?
WebAuthn relies on a user-controlled, multi-factor authenticator that uses public-key cryptography to digitally sign an authentication assertion. The authenticator (something you have) is activated by either a PIN (something you know) or a biometric (something you are). In either case, a WebAuthn authenticator provides strong multi-factor authentication without the use of a traditional password.
Q: What is an authenticator?
An authenticator is the means used to confirm the identity of a user. A traditional password is the simplest example of an authenticator. There are single-factor and multi-factor authenticators. Some authenticators use cryptographic methods while others do not.
A WebAuthn authenticator is a multi-factor authenticator that uses public-key cryptography. A user demonstrates possession and control of a WebAuthn authenticator by producing a signed authentication assertion in response to a request from a conforming web browser.
Q: What browsers support WebAuthn?
By the time the WebAuthn standard was announced in March 2019, all of the major browser vendors were heavily invested in the technology, including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera. Apple started to implement WebAuthn in the Safari web browser in December 2018.
Q: Has WebAuthn been standardized?
Yes, the FIDO Alliance contributed portions of its Universal 2nd Factor technology to the World Wide Web Consortium on November 12, 2015. WebAuthn became a W3C Recommendation on March 4, 2019. This initial release of the WebAuthn specification was five years in the making.
Q: What is FIDO?
The FIDO Alliance ("Fast IDentity Online") is an open industry association whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords.
Q: What is Universal 2nd Factor?
The FIDO Universal 2nd Factor (U2F) two-factor authentication protocol is intended to be used in conjunction with an ordinary web password. Since U2F relies on public-key cryptography, it does not require a shared secret beyond the password.
Q: What does WebAuthn have in common with U2F?
Together WebAuthn and the FIDO Client to Authenticator Protocol (CTAP) provide a complete replacement for Universal 2nd Factor (U2F). Both WebAuthn and U2F provide strong two-factor authentication but U2F requires the use of a traditional password whereas WebAuthn does not. The WebAuthn protocol is backwards-compatible with a U2F-only security key but the legacy U2F protocol is not compatible with a WebAuthn-only authenticator. The latter is sometimes called a FIDO2 authenticator.
Q: What is FIDO2?
The FIDO U2F authentication protocol became the starting point for the FIDO2 Project, a joint effort between the World Wide Web Consortium (W3C) and the FIDO Alliance. Project deliverables include the W3C Web Authentication (WebAuthn) standard and the FIDO Client to Authenticator Protocol (CTAP) specification. Together WebAuthn and CTAP are known as FIDO2, an umbrella term that refers to one (or both) of these technology standards.
Q: What is CTAP?
The FIDO Client to Authenticator Protocol (CTAP) enables a roaming authenticator (such as a hardware-based security key) to interoperate with a WebAuthn client platform (such as a laptop computer). A roaming authenticator that conforms to CTAP connects to a client via one or more of the following transport bindings: USB, near-field communication (NFC), or Bluetooth Low Energy (BLE).
Q: What is a roaming authenticator?
A roaming authenticator is a portable cross-platform security key intended to be used with multiple client devices. A roaming authenticator connects to the client device via a transport protocol such as USB. The authenticator often takes the form of a key fob that fits on an ordinary key ring.
Q: What is a security key?
A security key is a type of authenticator (but the term means different things to different people). Increasingly, the term "security key" specifically refers to a WebAuthn authenticator. More generally, a security key has become a synonym for a security token.
Q: So I have to carry around a security key to log in with WebAuthn?
That’s one option, yes. Another option is to use a tiny security key that fits completely inside a USB slot on the client device. A third option is to use a client device with a built-in security key. The latter is called a platform authenticator.