LLMpediaThe first transparent, open encyclopedia generated by LLMs

WebAuthn

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Microsoft Edge Hop 4
Expansion Funnel Raw 105 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted105
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
WebAuthn
NameWebAuthn
DeveloperWorld Wide Web Consortium
Initial release2018
Latest release2021
TypeWeb authentication standard
WebsiteW3C

WebAuthn is a web standard for public-key-based authentication that enables strong, phishing-resistant sign-in using authenticators such as hardware security keys, platform authenticators, and biometrics. It was developed to replace password-only practice with cryptographic assertions usable in browsers and relying parties, integrating with existing web frameworks and identity infrastructures. Major technology organizations, browser vendors, hardware manufacturers, and standards bodies contributed to its design and deployment.

Overview

WebAuthn defines an API that lets web applications create and use public key credentials via authenticators provisioned by Yubico, Google, Microsoft, Apple Inc., Mozilla, Samsung Electronics, and other vendors. The specification complements related standards like FIDO2 Project and FIDO Alliance's protocols, and interoperates with identity protocols such as OAuth 2.0, OpenID Foundation, SAML 2.0, and SCIM. Browser support includes Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari. Authentication methods span external tokens like YubiKey and SoloKeys, platform authenticators embedded in devices from Intel, AMD, and Qualcomm, and biometric modules certified under schemes like Common Criteria. The API abstracts attestation formats including packed attestation, TPM attestation, and Android SafetyNet attestation.

History and Standardization

Work on public-key web authentication progressed through initiatives by the FIDO Alliance and the World Wide Web Consortium. Early prototypes and research referenced projects at MIT, Stanford University, and ETH Zurich. The specification drafts were discussed at IETF meetings and influenced by cryptographic research from NIST and academic conferences such as USENIX Security Symposium and IEEE Symposium on Security and Privacy. Significant milestones include integration with W3C Working Groups, publication as a W3C Recommendation, and adoption announcements by companies including Google LLC, Microsoft Corporation, Apple Inc., Amazon.com, and Facebook, Inc..

Architecture and Protocol

The protocol uses asymmetric cryptography based on algorithms like RSA, Elliptic-curve cryptography, Ed25519, and ECDSA. Core components include the relying party (web application), the client (browser or user agent), and the authenticator (hardware token or platform module). Attestation formats include X.509 attestations and metadata from FIDO Metadata Service to support device provenance and risk assessment. Transport layers include interfaces such as CTAP2 over USB, NFC, and BLE, and platform APIs in operating systems like Windows 10, iOS, Android, and macOS. The protocol defines ceremonies for registration (credential creation), assertion (authentication), and attestation statements used in enterprise integrations like Active Directory and identity providers such as Okta, Ping Identity, and Auth0.

Use Cases and Adoption

WebAuthn is used for consumer account sign-in by Google Accounts, Microsoft Azure Active Directory, Apple ID, Dropbox, GitHub, GitLab, Salesforce, LinkedIn, Twitter, and Amazon Web Services. Enterprises apply it for workforce authentication with vendors like Okta, Duo Security, Ping Identity, CyberArk, IBM Security, and Microsoft Entra ID. Financial institutions pilot deployments with partners including Visa, Mastercard, JPMorgan Chase, Bank of America, HSBC, and payment processors such as PayPal. WebAuthn is integrated into developer ecosystems like Node.js, Angular, React, Django, Ruby on Rails, Spring Framework, and cloud platforms including Google Cloud Platform, Microsoft Azure, and Amazon Web Services.

Security and Threat Model

The design mitigates phishing and replay attacks by binding credentials to origins verified by browsers like Google Chrome and Mozilla Firefox. It addresses device compromise scenarios using hardware security from vendors like Yubico and Feitian Technologies and leverages secure elements produced by NXP Semiconductors and Infineon Technologies. Attestation and metadata help assess supply chain risk, informed by standards from NIST and certification bodies such as Common Criteria and FIDO Certified programs. Threats include side-channel attacks analyzed in research from Cryptographic Research, Inc., University of California, Berkeley, and Cambridge University, as well as software-layer vulnerabilities disclosed through programs at Microsoft Security Response Center and Google Project Zero.

Implementations and Support

Major browser vendors implemented WebAuthn APIs in releases by Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari. Hardware authenticator manufacturers include Yubico, SoloKeys, Feitian, and NXP, while platform support is provided by Apple Inc. in iOS and macOS, by Google LLC in Android, and by Microsoft Corporation in Windows Hello. Identity and access management products from Okta, Ping Identity, Auth0, Duo Security, and CyberArk offer WebAuthn integrations. Open-source libraries and projects that facilitate adoption include webauthn.io, fido2-lib, WebAuthn4J, Yubico Libfido2, Go FIDO2, and server frameworks in Node.js, Python, Java, and Ruby.

Category:Authentication standards