WebAuthn: What you need to know about the future of the passwordless Web

While OS and browser makers now support the WebAuthn API, it's unclear when and how Web sites will begin implementing it.

WebAuthn is a new way of logging into websites that may finally free you from remembering passwords. Instead, you’ll use you: your fingerprint or face, or a hardware token.

The WebAuthn API is now an official standard, ratified by the World Wide Web Consortium (or W3C) on Monday. Fortunately, it’s already been built into many popular browsers as well as Windows 10. Now it’s up to the web itself to incorporate it. Here’s how it will work.

What makes WebAuthn better?

You may have heard of the Collections data breaches: millions of usernames and passwords, some linked to one another, and published to the web. In part, that’s because websites currently ask you to log in and store a username and password within the site itself. If that data leaks publicly, then bad actors can use that information to see whether you’ve used the passwords elsewhere. That can lead to a cascade effect, where hackers gain access to more and more of your personal information.

WebAuthn doesn’t ask for a password. In fact, because it creates a one-time authentication token each time you log in, it’s basically following the recommended security practice of creating a unique password for every website. And it does so without forcing you to remember a thing. 

If you don’t need a password, what do you use instead?

WebAuthn supports two main categories of authentication: biometrics and hardware security tokens. You probably understand and already use biometrics such as fingerprint recognition via sensors in your smartphone or computer; or facial recognition, such as the depth camera that works with Windows Hello on your PC. 

Windows 10 Creators Update Windows Hello IDG / Mark Hachman

Windows Hello scans your face on Windows 10 PCs with a front-facing depth camera.

Hardware tokens are a little bit more obscure. The Yubico YubiKey is one popular example of a hardware token: Instead of using a password or biometrics, you simply put a Yubikey into a USB port on your PC. This is obviously handy for PCs that lack a depth camera. A YubiKey is essentially a complex password that you keep with you at all times. If you lose it, you’ll have to notify the site in question that you’ve lost it, deactivate that key, and then purchase and activate a new one.

How does WebAuthn work?

The Sophos Naked Security blog sums up the WebAuthn process rather neatly. If you log into a website that supports WebAuthn, that site challenges your browser to ask your PC (or smartphone) to prove that you are who you are. In this case, the browser asks your trusted authenticator to supply that proof. Your authenticator could be your phone’s fingerprint reader, Windows Hello, or a hardware token.

Because the authenticator itself is trusted, you don’t have to store fingerprint data or anything unique to you on the website—unlike the current way of doing things, where passwords are stored on the site. Basically, the authenticator is an intermediary: the good friend who can vouch for you when you meet somebody new, as an impeccable character reference.

security key by yubico with finger touch resized Yubico

Yubico YubiKeys like this one plug into the USB port on your PC for authentication.

When the website asks you to log in, the browser asks your authenticator to ask you to prove yourself by touching your fingerprint, for example. The authenticator then confirms that yep, you are who you say you are, and the browser passes that encrypted confirmation back to the web server. 

There’s a bit more to it than just this, including the encryption of your data with a public key and a challenge signed with your private key that unlocks it. The idea, though, is that you’re communicating your “secret” (your fingerprint, face, or token) only within the secure confines of your PC.

Here’s another way to look at it: Let’s say your bank representative was driving to your house to drop off your cash, and you had to prove who you were. You could shout your personal information and password to the driver to verify your identity, and let the whole neighborhood listen in. But it’s far better to bring a trusted friend inside your home, prove that you are you, and then have that friend go outside and yell,”hey, everything’s cool!

Is there a WebAuthn demo?

There is a WebAuthn demo you can view. Although it’s quite slow and didn’t seem to actually create a public key, Webauthn.org shows you how it will work. 

How does WebAuthn differ from two-factor authentication?

Essentially, WebAuthn is single-factor identification: a pretty ironclad way of identifying that you are you, but that’s all. If you passed out, could someone take your finger and authenticate yourself to your banking site? If that was the only way to verify your identity (i.e., no password), then yes, conceivably. Will WebAuthn work in conjunction with existing 2FA methods? That remains to be seen.

Two-factor authentication generally combines two of these three: something you know (a password) with something you have (a smartcard or token) or something you are—basically, you. In other words, your bank may still encourage you to use WebAuthn biometric identification with a password for even better security than what’s available today.

What needs to happen to make WebAuthn a reality?

Much of the groundwork for WebAuthn has already been completed.  Windows 10Android, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari (in preview) already support it.

Now, it’s up to the websites themselves to begin implementing support for WebAuthn, which may go a bit beyond simply rewriting their code to accept WebAuthn logins. It’s not clear, for example, whether a website that relies on WebAuthn will need to “fall back” to a less secure password if Windows Hello can’t recognize you for some reason, or your fingerprint reader fails as well. Those sites will also have to educate users on the advantages of using WebAuthn, and alter their login pages and the like. Do they force customers with older PCs to buy a hardware token? Probably not, but those decisions have to be made.

What happened this week, though, was an important step forward. The W3C essentially legislates web standards. With WebAuthn in place, sites are now clear to make it a reality.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Mark Hachman

Mark Hachman

PC World (US online)
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?