What is WebAuthn (Web Authentication)?

A W3C standard for strong, phishing-resistant authentication using public-key cryptography tied to the user's device or security key.

Full explanation

WebAuthn (paired with FIDO2) replaces passwords with cryptographic credentials bound to the origin. The user's device proves possession of a private key; the server verifies against a registered public key. Phishing-resistant because the credentials cannot be used on a different origin. Implementations include hardware security keys, platform authenticators (Touch ID, Face ID, Windows Hello), and passkeys.

Example

A user registers a passkey on their iPhone. On every subsequent sign-in, iOS prompts for Face ID; the phone signs a server challenge with the registered private key. No password is involved.

Related

Guide
JWT verification — the five ways apps get it wrong
Guide
OAuth + OIDC security — the PKCE and state checks you cannot skip

FAQ

What is the difference between WebAuthn and a passkey?

WebAuthn is the protocol. A passkey is a specific WebAuthn implementation where the private key is syncable across the user's devices via iCloud Keychain / Google Password Manager / 1Password / etc.