WebAuthn

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). It defines an API that websites use to authenticate with WebAuthn credentials (passkeys) and outlines what WebAuthn authenticators should do. It solves many of the issues of traditional password-based authentication by verifying the user's identity with digital signatures. Although WebAuthn is often touted as a complete replacement for passwords, most websites that implement it continue to use passwords in some capacity.

To use WebAuthn, users require a compatible authenticator. The standard does not specify how to store the keys required for signing, so a variety of authenticator types can be used. The most common authenticator type is a platform authenticator, which is built into the operating system of the device. Common platform authenticators include Android, Apple Keychain and Windows Hello. These make use of hardware security features (such as TEE and TPM), and often sync credentials between devices for ease-of-use. Another common authenticator type is a roaming authenticator, where a separate hardware device authenticates the user by connecting over USB, Bluetooth Low Energy, or near-field communications (NFC). Most smartphones can be used as roaming authenticators, and dedicated physical security keys are also used. WebAuthn is effectively backward compatible with FIDO Universal 2nd Factor (U2F) as they both use the CTAP protocol. Password managers can also be used as an authenticator, often with cloud sync. Where credentials sync is not viable or possible, WebAuthn Hybrid Transport can be used to access credentials stored on another authenticator such as a smartphone.