What is WebAuthn?

www.w3.org/TR/webauthn

WebAuthn is a browser API that handles authenticating users without passwords. Instead of passwords, it uses hardware authentication options such as a Yubikey, or the built-in hardware of a device like TouchID or Windows Hello.

Can I Use WebAuthn?

Does WebAuthn Replace OAuth?

No! In fact, WebAuthn and OAuth work great together! While WebAuthn can often take the place of using a specific third-party OAuth API for authentication, WebAuthn isn't trying to solve the same problems OAuth solves.

WebAuthn authenticates users, so if that's all you're using OAuth for (you shouldn't), then you may not need OAuth! But if you're using OAuth in order to access an API, then you'll still need OAuth, as that's how you get an access token.

WebAuthn may end up replacing the step in OAuth where the user enters their password, since WebAuthn is a replacement for password authentication. But WebAuthn won't provide an app with an access token to make API requests, since that's not what it's designed for.

Demos

• webauthn.me
• webauthn.org

Documentation

• Web Authentication API (developer.mozilla.org)

Articles

• Enabling Strong Authentication with WebAuthn - January 2019 (developers.google.com)
• Introduction to Web Authentication: The New W3C Spec - June 2018 (auth0.com)
• WebAuthn: A Developer's Guide to What's on the Horizon - April 2018 (developer.okta.com)
• Web Authentication: What It Is and What It Means for Passwords - December 2017 (duo.com)

Platform-Specific Information

• Windows Hello
• WebKit
• Firefox