Skip to content

What is WebAuthn and Passkeys

Key idea:

WebAuthn (Web Authentication) — W3C standard (2019) for passwordless authentication. Users register an "authenticator" (TouchID, Windows Hello, Yubikey security key) → log in via biometrics. Passkeys — the Apple/Google/Microsoft synonym with synced keys across devices. Replaces passwords and SMS OTP. Phishing-resistant: the key only works for a specific origin.

Below: details, example, related terms, FAQ.

Check your site's security →

Details

  • Public-key cryptography: authenticator generates a keypair per site
  • FIDO2 = WebAuthn + CTAP (Client-to-Authenticator Protocol)
  • Authenticator: platform (TouchID, Face ID) or roaming (Yubikey)
  • Origin-bound: phishing-resistant (the key does not work on the wrong domain)
  • Cross-device sync: iCloud Keychain, Google Password Manager (Passkeys)

Example

navigator.credentials.create({
  publicKey: {
    challenge: randomBytes,
    rp: { name: "example.com" },
    user: { id, name, displayName },
    pubKeyCredParams: [{ alg: -7, type: "public-key" }]
  }
});

Related Terms

How WebAuthn Works

WebAuthn (Web Authentication) is a standard developed by the W3C that provides a secure method for users to authenticate themselves without the use of traditional passwords. The process involves several key steps:

  • Registration: The user registers an authenticator, which could be a hardware device like a Yubikey or a biometric system such as TouchID or Windows Hello. During this phase, the authenticator creates a unique public/private key pair.
  • Public Key Storage: The public key is sent to the server and stored alongside the user's account. The private key remains securely on the authenticator and is never shared.
  • Authentication: When logging in, the user initiates the authentication process, which prompts the authenticator to sign a challenge provided by the server. The server then verifies the signature using the stored public key.

This flow ensures that sensitive information is never transmitted over the network, drastically reducing the risk of phishing attacks. Additionally, since the private key is device-specific, even if an attacker gains access to the public key, they cannot impersonate the user without the corresponding authenticator.

Implementing WebAuthn in Your Application

Integrating WebAuthn into your web application can enhance security by enabling passwordless authentication. Below are the steps and example code snippets using JavaScript:

  1. Registration: Use the navigator.credentials.create() method to register a new user.
const publicKey = {    challenge: new Uint8Array(32),    rp: { name: 'Your App' },    user: {        id: new Uint8Array(16),        name: 'user@example.com',        displayName: 'User'    },    pubKeyCredParams: [        { type: 'public-key', alg: -7 }    ]};navigator.credentials.create({ publicKey }).then((credential) => {    // Send credential to server for registration    console.log(credential);});
  1. Authentication: Use navigator.credentials.get() to authenticate the user.
const publicKey = {    challenge: new Uint8Array(32),    allowCredentials: [        { id: new Uint8Array(16), type: 'public-key' }    ]};navigator.credentials.get({ publicKey }).then((assertion) => {    // Send assertion to server for verification    console.log(assertion);});

Ensure that your server-side code handles the registration and authentication processes securely, storing public keys and verifying signatures correctly.

Benefits of Using Passkeys

Passkeys are an evolution in secure authentication, providing significant advantages over traditional password-based systems. Here are some key benefits:

  • Password Elimination: Passkeys remove the need for users to remember complex passwords, reducing the likelihood of weak passwords and password reuse across sites.
  • Cross-Device Syncing: Major platforms such as Apple, Google, and Microsoft allow passkeys to be synced across devices, ensuring seamless access without compromising security.
  • Phishing Resistance: Since passkeys are origin-bound, they cannot be used on fraudulent websites, significantly mitigating phishing risks.
  • Enhanced User Experience: Logging in with biometrics or a security key is faster and more convenient than typing a password, improving user engagement.

In summary, adopting passkeys not only enhances security but also streamlines the user experience, making it an attractive option for developers and users alike.

HeadersCSP, HSTS, X-Frame-Options, etc.
SSL/TLSEncryption and certificate
ConfigurationServer settings and leaks
Grade A-FOverall security score

Why teams trust us

OWASP
guidelines
15+
security headers
<2s
result
A–F
security grade

How it works

1

Enter site URL

2

Security headers analyzed

3

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Sign up free

Learn more

Frequently Asked Questions

Passkeys vs WebAuthn?

Passkeys = marketing name for WebAuthn with cross-device sync. Technically the same thing.

Do I need new infrastructure?

No — WebAuthn works on standard HTTPS sites. Only JS API + backend validation needed.

Will it replace passwords?

Gradually. Gmail, Apple, GitHub already support it. 2026: ~15% of active users use passkeys.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.