• Get started with Web Authentication (authn)

    Back to GlossaryBack to Glossary

    How does WebAuthn work?

    WebAuthn is an API that makes it very easy for a relying party, such as a web service, to integrate strong authentication into applications using support built in to all leading browsers and platforms. This means that web services can now easily offer their users strong authentication with a choice of authenticators such as security keys or built-in platform authenticators such as biometric readers.

    Who authored WebAuthn?

    WebAuthn was developed under the umbrella of the World Wide Web Consortium (W3C). Yubico along with Microsoft and Google are leading contributors.

    A new standard for web authentication

    Making it easy to be secure online

    Supported by all the leading browsers and web platforms, WebAuthn greatly simplifies and standardizes the integration of strong authentication into web and mobile applications.

    Strong authentication the way you like it

    WebAuthn makes it easy to offer users strong authentication using a choice of authenticators such as the YubiKey and built-in platform authenticators such as fingerprint sensor.

    Going beyond passwords for stronger security

    WebAuthn uses asymmetric (public-key) cryptography with phishing protections built into the browser and platform for registering, and authenticating with websites.

    WebAuthn + YubiKey

    Discover the services that support WebAuthn.

    Search CatalogSearch Catalog
    Microsoft logo
    onelogin logo
    PingIdentity logo

    How WebAuthn works

    User registers to a web service

    The user arrives on a website on their device.

    When logging into the website, the application offers the user several options for authentication using native support within all leading browsers and platforms.

    User chooses an authenticator

    The user can register to the web service using a wide choice of authenticators, including an external authenticator, such as a security key or an authenticator that is built into the platform, such as biometrics (fingerprint, iris scan, facial recognition).

    The recommended approach is for the user to first register using an external authenticator that is phishing resistant, and then transfer that trust (bootstrap) to a built-in platform authenticator for subsequent authentication. The benefit of this approach is that if the device is compromised in any way (lost or stolen), then the user still has an external authenticator as a portable root of trust that can be used to quickly onboard a new device and re-authenticate to the web service.

    User authenticates to the web service

    After the registration step, the user is authenticated to the service on the device.

    Once the user has registered to the service they can choose to sign out and sign in again with whichever authenticator is preferred by the user.

    Rapid recovery from lost/stolen devices

    Allowing users to self-register multiple authenticators to each service makes it possible to rapidly recover from a lost/stolen device.

    With WebAuthn, an external authenticator, such as a security key, now becomes a portable root of trust enabling rapid recovery and bootstrapping of new devices.

    WebAuthn authenticators—what are my choices?

    Built into the computer/phone

    Referred to as platform authenticators in the WebAuthn specification:

    • Biometrics with TPM or TEE/secure enclave
    • Fingerprint reader
    • Face/iris/voice recognition
    • PIN/pattern/passphrase with TPM or TEE/secure enclave
    Security keys

    Referred to as roaming authenticators in the WebAuthn specification:

    • Touch sensor with secure element
    • PIN and touch sensor with secure element
    • Software authenticators

    Learn more

    A big day for the internet: W3C standardizes WebAuthn

    10 Things You’ve Been Wondering About FIDO2, WebAuthn, and a Passwordless World

    Web Authentication: An API for Accessing Public Key Credentials – Level 1

    Try WebAuthn on the Yubico WebAuthn demo site

    View the full OS and web browser support matrix for FIDO2/WebAuthn

    WebAuthn developer resources

    With WebAuthn, developers are able to experience rapid deployment of strong authentication capabilities. Yubico provides the following developer resources for rapid integration of WebAuthn.

    Open source WebAuthn server
    View WebAuthn server

    Server libraries
    View server libraries

    Host libraries
    View host libraries

    For additional resources, please visit our developer site
    Visit Yubico developer site

    Get Started

    Find the right Yubikey

    Take the quick Product Finder Quiz to find the right key for you or your business.

    Take the quizTake the quiz
    Get protected today

    Browse our online store today and buy the right YubiKey for you.

    Buy nowBuy now