(From official FIDO Alliance specs, W3C WebAuthn Level 3, and real implementations – December 2025)
WebAuthn (Web Authentication) is the core standard behind FIDO2 passkeys and passwordless login. It enables public-key cryptography directly in browsers for authentication – no passwords, no shared secrets.
Key 2025 Stats (FIDO Alliance):
WebAuthn is part of FIDO2 = WebAuthn (browser API) + CTAP2 (authenticator protocol).
Private key never leaves authenticator.
2. Authentication (Get Credential)
No password transmitted – ever.
Authentication (PublicKeyCredentialRequestOptions):
Returned Attestation Object (registration):
Sync (2025):
Benefits:
Limitations:
Full migration expected 2028–2032.
For developers: Implement via WebAuthn API (navigator.credentials).
Stay safe – passkeys are the future.
Your choice.
– Based on FIDO Alliance, W3C WebAuthn Level 3 (2025).
WebAuthn (Web Authentication) is the core standard behind FIDO2 passkeys and passwordless login. It enables public-key cryptography directly in browsers for authentication – no passwords, no shared secrets.
Key 2025 Stats (FIDO Alliance):
- >8 billion passkeys registered.
- >70 % of top 100 sites support WebAuthn.
- Phishing resistance: 100 % (no credential to phish).
- Adoption: Apple, Google, Microsoft, PayPal, GitHub, Amazon (partial).
WebAuthn is part of FIDO2 = WebAuthn (browser API) + CTAP2 (authenticator protocol).
WebAuthn Architecture (2025)
| Component | Role | Example |
|---|---|---|
| Relying Party (RP) | Website/app that wants authentication | google.com, github.com |
| Client | Browser or OS | Chrome, Safari, Edge |
| Authenticator | Device that holds keys | iPhone Secure Enclave, Android StrongBox, YubiKey |
| Platform | Built-in (phone/laptop) | Apple Touch ID/Face ID |
| Roaming | External (security key) | YubiKey, Titan Key |
WebAuthn Flow – Step-by-Step (2025 Process)
1. Registration (Create Credential)- User visits RP → “Create passkey”.
- RP calls navigator.credentials.create() with:
- publicKey options (challenge, RP ID, user info).
- Browser forwards to authenticator.
- Authenticator:
- Prompts biometric/PIN.
- Generates key pair (private + public).
- Signs challenge with private key.
- Creates attestation (proves device genuine).
- Browser sends public key + signed challenge + attestation to RP.
- RP stores public key + credential ID.
Private key never leaves authenticator.
2. Authentication (Get Credential)
- User visits RP → “Sign in with passkey”.
- RP calls navigator.credentials.get() with challenge.
- Browser forwards to authenticator.
- Authenticator:
- Prompts biometric/PIN.
- Signs challenge with private key.
- Browser sends signed challenge + credential ID to RP.
- RP verifies signature with stored public key → login success.
No password transmitted – ever.
Technical Data Structures (2025)
Registration (PublicKeyCredentialCreationOptions):
JSON:
{
"challenge": "random_bytes",
"rp": {"id": "example.com", "name": "Example"},
"user": {"id": "user_id", "name": "john", "displayName": "John Smith"},
"pubKeyCredParams": [{"type": "public-key", "alg": -7}], // ES256
"authenticatorSelection": {"userVerification": "required"},
"attestation": "direct"
}Authentication (PublicKeyCredentialRequestOptions):
JSON:
{
"challenge": "random_bytes",
"rpId": "example.com",
"allowCredentials": [{"type": "public-key", "id": "cred_id"}],
"userVerification": "required"
}Returned Attestation Object (registration):
- authData – includes AAGUID, credential ID, public key
- attStmt – signature over authData
Supported Algorithms (2025)
| Algorithm | COSE ID | Use | Security Level |
|---|---|---|---|
| ES256 | -7 | Default | High (NIST Level 3) |
| ES384 | -35 | Optional | Higher |
| ES512 | -36 | Optional | Highest |
| RS256 | -257 | Legacy | Deprecated |
| EdDSA | -8 | Emerging | Post-quantum ready |
Platform vs Roaming Authenticators
| Type | Example | Sync | Cross-Device | Security |
|---|---|---|---|---|
| Platform | iPhone Face ID | Yes (iCloud) | Yes | Highest |
| Roaming | YubiKey 5 | No | Yes | High |
Sync (2025):
- Apple: iCloud Keychain (end-to-end encrypted).
- Google: Password Manager sync.
- Microsoft: Cloud sync.
Real-World Adoption & Benefits (2025)
Sites with passkeys:- Google, Microsoft, Apple accounts
- PayPal, eBay, GitHub, Best Buy
- Banks (Chase, BoA pilots)
Benefits:
- Phishing-proof – no credential to steal.
- Fast – biometric gesture.
- Reduced support costs – fewer password resets.
Limitations:
- Device dependency (lost device → recovery needed).
- Legacy browser support (IE dead, but old Android).
Bottom Line – December 2025
WebAuthn passkeys are the gold standard – passwordless, phishing-resistant, biometric-fast. Public-key crypto in browser – private key on device, public on server.Full migration expected 2028–2032.
For developers: Implement via WebAuthn API (navigator.credentials).
Stay safe – passkeys are the future.
Your choice.
– Based on FIDO Alliance, W3C WebAuthn Level 3 (2025).
