eastbaycyber

What Is WebAuthn?

Glossary 5 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

WebAuthn is a web authentication standard that enables phishing-resistant sign-in with security keys, biometrics, and device-based passkeys instead of relying only on passwords. It is a core part of modern passwordless authentication and one of the most practical ways to reduce credential phishing and account takeover risk.

In simple terms, WebAuthn helps a website verify that you are using a trusted authenticator tied to the real site, not a fake login page.

WebAuthn definition

WebAuthn is a standard for authenticating users with public key credentials. Instead of sending a reusable secret like a password, the user signs in with a credential created on a trusted device or security key.

That authenticator may be:

  • a hardware security key
  • a built-in laptop or phone authenticator
  • a passkey stored on a device
  • a biometric-protected credential such as fingerprint or face unlock

WebAuthn is widely associated with FIDO2 and is a foundational technology behind passkeys.

How WebAuthn works

WebAuthn uses public key cryptography rather than shared secrets.

Registration creates a key pair

When a user first enrolls with a WebAuthn-enabled website or app, the authenticator generates a key pair:

  • the private key stays on the device or security key
  • the public key is shared with the application

The application stores the public key, but it never receives the private key. That is a major security difference from passwords, which are reusable secrets created and entered by the user.

Authentication uses a challenge

When the user signs in later, the application sends a cryptographic challenge. The authenticator signs that challenge with the private key, and the application verifies the result using the stored public key.

If the signature is valid, the application knows the user has the correct authenticator.

The credential is tied to the real website

One of the most important WebAuthn protections is origin binding. The authenticator checks which website is requesting authentication.

That means a credential created for one site should not work on a phishing site pretending to be that site. This is why WebAuthn is considered phishing-resistant in ways passwords, SMS codes, and many push-based prompts are not.

User verification may happen locally

Depending on how the authenticator is configured, the device may require:

  • a fingerprint
  • face recognition
  • a device PIN
  • a touch on a hardware security key

This helps verify that the person using the authenticator is the legitimate user, not just someone holding the device.

Why WebAuthn is more secure than passwords

Traditional passwords are reusable secrets. If they are phished, reused, guessed, or stolen in another breach, they can often be used directly by an attacker.

WebAuthn changes that model:

  • there is no reusable password to type into a phishing page
  • each credential is unique to a specific site
  • the private key stays on the authenticator
  • server-side breaches do not expose reusable login secrets in the same way
  • authentication is bound to the legitimate origin

That does not make compromise impossible, but it reduces some of the most common account takeover paths.

If you want a broader look at phishing-resistant identity design, see what is zero trust.

WebAuthn, passkeys, and FIDO2

These terms are related, but they are not exactly the same.

WebAuthn

WebAuthn is the web standard that allows browsers and applications to authenticate users with public key credentials.

Passkeys

A passkey is a user-friendly implementation of this model, usually synced across trusted devices in a platform ecosystem. In everyday language, many people encounter WebAuthn through passkeys.

FIDO2

FIDO2 is the broader authentication framework that includes WebAuthn and CTAP, the protocol used to communicate with authenticators such as security keys.

In practice, if an application supports passkeys or FIDO2 security keys, WebAuthn is often part of what makes that work.

When organizations use WebAuthn

You will usually encounter WebAuthn in access modernization projects.

Passwordless authentication rollouts

Organizations adopting passwordless sign-in often use WebAuthn to reduce password resets, credential theft, and help desk friction.

Phishing-resistant MFA programs

Security teams moving beyond SMS, TOTP apps, or push approvals often adopt WebAuthn-backed authenticators because they resist phishing and adversary-in-the-middle attacks better.

Protecting high-risk accounts

Administrators, developers, executives, finance staff, and IT support teams are frequent candidates for WebAuthn because their accounts are common takeover targets.

Consumer login modernization

Customer-facing apps also use WebAuthn and passkeys to simplify sign-in while reducing password reuse and fraud risk.

Stronger credential hygiene overall

Even with WebAuthn, many environments still have legacy passwords in some workflows. For those cases, a password manager like Try 1Password → can still be useful for storing unique credentials until passwordless adoption is broader.

Where WebAuthn fits in real security programs

WebAuthn is powerful, but it is not a complete security strategy by itself. Organizations still need:

  • account recovery controls
  • endpoint security
  • strong device management
  • session monitoring
  • least-privilege access
  • phishing awareness for non-WebAuthn flows

For example, strong endpoint protection still matters because a compromised device can create broader risk even if login is protected. For individual systems, tools like Get Malwarebytes → may help as part of layered endpoint defense.

You can also pair this topic with our guide to what is mfa for a broader explanation of authentication factors and where WebAuthn fits.

Final takeaway

WebAuthn is the standard that enables phishing-resistant, public key-based sign-in on the web. It helps websites and applications replace or strengthen passwords with security keys, biometrics, and passkeys tied to the real service.

If your organization is trying to reduce account takeover risk and move toward stronger authentication, WebAuthn is one of the most important standards to understand.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.