What is WebAuthn API?
The Web Authentication API (WebAuthn API) is a credential management application program interface (API) that enables web applications to authenticate users without storing their passwords on servers. WebAuthn API enables servers to integrate with strong authenticators built into devices, such as Apple's Touch ID and Windows Hello. WebAuthn API is an official web standard written by the World Wide Web Consortium (W3C) and the FIDO Alliance, as well as tier 1 vendors, including Microsoft, Mozilla and Google.
WebAuthn API uses a private-public key pair as a credential rather than a password. The private key is securely stored on the user's device and a public key is a randomly generated credential ID sent to the server for storage. The server then uses that public key to prove the identity of the user. The public key isn't secret because it's useless without the corresponding private key.
How WebAuthn API works
When users log in to a website that supports WebAuthn, the application offers several options for authentication using the native support within all leading browsers and platforms.
Users can register to the web service using a range of authenticators, including an authenticator built into the platform, such as biometrics (iris scan, facial recognition, fingerprint) or an external authenticator, such as a security key.
After registering, users are authenticated to the service on the device. Once registered to the service, they can elect to sign out and sign in again with whichever authenticator they prefer.
WebAuthn API is unique because it can't be used to identify users between different websites. The generated credentials are tied to the domains of the websites that produced them, providing users an additional layer of privacy.
Why is WebAuthn API important?
WebAuthn API resolves significant security problems related to data breaches, phishing, and attacks against Short Message Service texts and other two-factor authentication methods. It also significantly increases ease of use because users don't have to manage dozens of passwords.
Previously, users were required to provide shared secrets -- i.e., their passwords -- when they logged in to accounts, which were then stored on servers that may or may not be secure. Threat actors could gain access to user accounts if their passwords were stored in plaintext, the servers weren't properly secured or users' passwords were easy enough to guess or social engineer.
WebAuthn API eliminates the need for servers to store passwords. Instead, the servers register WebAuthn credentials using private-public key pairs, which also include identifiers for each user.
History of WebAuthn API
In December 2014, the FIDO Alliance, an open industry association that aims to increase web security and decrease the password burden, began working on Universal Authentication Factor (UAF) to handle user authentication in a more modern, secure way.
The UAF specification wasn't widely adopted, in part, because the necessary functionality wasn't added to major browsers, so the developers who wanted to implement it had to work around that lack of native support. In addition, there wasn't a lot of reference material on how to implement the steps to make UAF work properly on iOS and Android devices.
In November 2015, the FIDO Alliance began work on a UAF update known as Fast IDentity Online 2 (FIDO2). The alliance teamed up with W3C from 2016 through 2018 to establish a series of APIs. FIDO2 garnered support from major browser developers Microsoft, Mozilla and Google. Apple added support for FIDO2 and WebAuthn in 2019.
The main goals of FIDO2 and WebAuthn API are to do the following:
- provide more options and flexibility for user authentication;
- offer a smoother, more straightforwarduser experience;
- make it easier for developers to implement their applications; and
- ensure better security.
The FIDO Alliance and WC3 are looking to create web experiences for users that don't rely on multicharacter passwords.
Editor's note: This article was written by Linda Rosencrance in 2019. TechTarget editors revised it in 2023 to improve the reader experience.