Skip to content

WebAuthn

Spicy — senior dev territorySecurity

ELI5 — The Vibe Check

WebAuthn is the browser API that makes passkeys work. Your website talks to the browser, the browser talks to the authenticator (fingerprint sensor, security key), and magic cryptographic handshakes happen. You never see a password because there isn't one. It's the plumbing behind passwordless login.

Real Talk

Web Authentication (WebAuthn) is a W3C standard browser API for creating and using public-key credentials for authentication. It interfaces with platform authenticators (biometrics) and roaming authenticators (security keys). The relying party (server) stores the public key; the private key stays on the authenticator.

Show Me The Code

const credential = await navigator.credentials.create({
  publicKey: {
    challenge: serverChallenge,
    rp: { name: 'My App', id: 'example.com' },
    user: { id: userId, name: 'user@example.com', displayName: 'User' },
    pubKeyCredParams: [{ alg: -7, type: 'public-key' }],
    authenticatorSelection: { residentKey: 'required' }
  }
});

When You'll Hear This

"WebAuthn handles the browser-to-authenticator communication for our passkey flow." / "The WebAuthn ceremony includes a challenge-response to prevent replay attacks."

Related Terms

Authentication (AuthN)

Authentication is proving you are who you say you are.

beginnerSecurity

FIDO2

FIDO2 is the whole framework that makes passwordless authentication work — WebAuthn (browser side) plus CTAP (authenticator side).

advancedSecurity

Passkeys

Passkeys replace passwords with your fingerprint, face, or device PIN. No more remembering 'P@ssw0rd123!' — your phone or laptop IS your password.

intermediateSecurity
Back to Browse Random Term

Made with passive-aggressive love by manoga.digital. Powered by Claude.