WebAuthn is the authentication layer of the FIDO2 standard. Instead of depending on user‑remembered secrets, it employs asymmetric cryptography. During registration, a user's authenticator (hardware key, secure enclave, TPM, etc.) generates a private–public key pair scoped to the relying party domain. The browser sends the public key and attestation data to the server, which stores them as a credential record. The private key never leaves the user's device. 

Authentication Flow

When logging in, the server issues a random challenge. The browser forwards this challenge to the authenticator, which verifies user presence (e.g., button press), optionally enforces user verification (PIN, biometric), and signs the challenge with the stored private key. The server validates the signature using the previously registered public key and ensures the authenticator's sign counter has increased, protecting against cloned keys. 

Passkeys

Passkeys extend WebAuthn credentials by enabling cross‑device availability. Operating systems synchronize credentials through end‑to‑end encrypted cloud storage. A passkey can be unlocked using the device's local authentication method (Touch ID, Face ID, Windows Hello, Android biometrics) and used across browsers and devices. This removes the friction of remembering or typing anything, while maintaining hardware‑backed security. 

Advantages over Passwords

  1. Phishing Resistance – The authenticator binds each credential to a specific origin; a phishing site cannot trick it into signing a challenge for a different domain.
  2. No Shared Secrets – Without a password database, the risk of credential leaks is drastically reduced. Even if a server's credential store is compromised, the attacker only gets public keys.
  3. Better UX – Users simply confirm a biometric prompt or touch a security key. Cross-device passkeys eliminate password resets and typing errors.
  4. Strong Multi‑factor – WebAuthn can satisfy "something you have" (the authenticator) and "something you are/know" (biometric or PIN) in a single gesture, achieving strong MFA with minimal effort.
  5. Resistance to Replay and Credential Stuffing – Challenges are single use, and private keys cannot be reused across services, thwarting replay attacks and credential stuffing.