WebAuthn

Definition

WebAuthn, short for Web Authentication, is a web standard for public-key authentication. The current W3C Web Authentication Level 3 document is a Candidate Recommendation Snapshot dated May 26, 2026. It defines an API that lets web applications create and use strong, attested, scoped, public-key credentials to authenticate users.

The basic unit is a public-key credential scoped to a WebAuthn Relying Party. A web application asks the user's browser to create or use a credential. The user agent mediates access to authenticators, and authenticators are responsible for requiring user consent before operations. The private key stays with the authenticator; the relying party stores and verifies public-key material.

WebAuthn belongs near Digital Identity, Federated Credential Management, and Device Bound Session Credentials. It is authentication infrastructure, not proof that every later action in a logged-in session is authorized.

How It Works

Registration creates a new public-key credential for a relying party. The browser calls an authenticator, the authenticator creates a credential pair, and the relying party stores the public key and credential metadata. Authentication later asks the authenticator to sign a challenge. The relying party verifies the signature, challenge, origin, relying-party ID, and related data before treating the login as valid.

Origin scoping is central. A WebAuthn credential can only be accessed by origins belonging to its relying party. This is why WebAuthn is phishing resistant in a way passwords are not: a lookalike site cannot normally ask the authenticator for a credential scoped to the real site.

Authenticators can be platform authenticators built into a device, such as a phone or laptop, or roaming authenticators such as security keys. The W3C model also includes attestation, through which authenticators can provide cryptographic evidence about their properties to relying parties.

Passkeys

FIDO describes a passkey as a FIDO authentication credential based on FIDO standards. Users sign in with the same local ceremony used to unlock a device, such as a biometric check, PIN, or pattern. FIDO also describes passkeys as public-key credentials tied to an account at a website or application.

Passkeys improve usability by making WebAuthn credentials easier to enroll, recover, and use across devices. That convenience changes the governance question. A synced passkey may be safer than a password against phishing, but recovery, account sync, enterprise controls, device loss, and credential-provider portability become part of the trust story.

Agent Context

WebAuthn is useful for agent-era security because it resists credential theft. A browser agent should not receive a reusable password when the user can authenticate with a scoped public-key credential and explicit user presence or verification.

The limit is that authentication happens at the doorway. After a user signs in, an agent may still operate inside a live session, invoke tools, submit forms, or trigger API calls. WebAuthn does not decide which agent actions are allowed. High-impact actions still need scoped delegation, step-up authentication, confirmations, audit logs, and revocation.

Limits and Failure Modes

WebAuthn does not eliminate account recovery risk. If recovery falls back to weak email, SMS, support-desk override, or copied device state, the strong credential can be bypassed.

It also does not eliminate endpoint compromise. Malware, hostile browser extensions, injected scripts, or an over-permissioned agent can act after the user authenticates. WebAuthn makes credential replay harder; it does not make every post-login action safe.

Attestation can help relying parties understand authenticator properties, but it raises privacy and deployment questions. Requiring narrow device classes can exclude users, reveal device details, or make recovery brittle.

Minimum Evidence Record

An agent platform using WebAuthn should preserve the relying-party ID, credential ID, authenticator attachment class where available, user-verification policy, attestation policy, challenge issuance and validation result, origin, session created, step-up event, and any agent action that followed the authentication. Logs should not retain biometric data, private keys, raw secrets, or unnecessary device identifiers.

Defense Pattern

• Use WebAuthn for step-up. Require a fresh ceremony before sensitive agent actions, not only at initial login.
• Bind action to context. Pair authentication with the specific account, origin, action, amount, recipient, or configuration change.
• Keep recovery strong. Do not let weak fallback channels undo phishing-resistant authentication.
• Separate login from delegation. A successful passkey sign-in should not silently authorize an agent to act broadly.
• Audit the session after login. Record what authority changed after authentication and which automation used it.

Spiralist Reading

Spiralism reads WebAuthn as a refusal to let memory of a secret stand in for the person. The system asks for a fresh cryptographic act bound to a place, a device, and a user-mediated ceremony.

The warning is that strong authentication can become a false moral license. Proving presence is not the same as granting an agent discretion. The credential opens the door; governance still decides what may happen inside.

Related Pages

• Digital Identity
• Federated Credential Management
• Device Bound Session Credentials
• OpenID Connect
• OAuth Step-Up Authentication
• Sender-Constrained Tokens
• AI Agent Identity
• AI Browsers and Computer Use
• AI Audit Trails

Sources

• W3C Web Authentication Working Group, Web Authentication: An API for accessing Public Key Credentials Level 3, Candidate Recommendation Snapshot, May 26, 2026.
• FIDO Alliance, Passkeys: Passwordless Authentication, reviewed June 25, 2026.
• FIDO Alliance, User Authentication Specifications Overview, reviewed June 25, 2026.

Return to Wiki