Web Authentication API (WebAuthn / FIDO2 / Passkeys)
WebAuthn (W3C + FIDO2) is a browser and platform API for phishing-resistant public-key authentication; the server issues a challenge, the authenticator (hardware key, platform biometric, or synced passkey) signs it, and the server verifies the signature — eliminating password transmission entirely.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
WebAuthn is the gold standard for phishing-resistant authentication: private keys never leave the authenticator, challenges are origin-bound, and there are no shared secrets to steal. Requires HTTPS (or localhost) — no exceptions.
⚡ Reliability
Best When
You are building user-facing authentication that must be phishing-resistant, and your users have access to a FIDO2 authenticator (modern phone, Mac, Windows Hello, or hardware key).
Avoid When
You need fully automated or headless authentication flows — WebAuthn's user-presence requirement makes it incompatible with non-interactive agent pipelines.
Use Cases
- • Implement passkey (synced FIDO2 credential) registration and login for a web application so users authenticate with Face ID, Touch ID, or Windows Hello without passwords
- • Add hardware security key (YubiKey, FIDO token) support as a phishing-resistant MFA step after password verification
- • Perform server-side attestation verification during credential registration to enforce authenticator policy (e.g., require enterprise hardware tokens)
- • Store and manage credential IDs and public keys server-side using a library like py_webauthn or SimpleWebAuthn to handle the full assertion verification flow
- • Implement cross-device authentication flows where a passkey stored on a phone is used to authenticate on a desktop browser via QR code (CTAP2 hybrid transport)
Not For
- • Headless or non-browser agent contexts — WebAuthn requires a user-present authenticator interaction; it cannot be automated or called without a human and a FIDO2 device
- • Server-to-server machine authentication — use client certificates or OAuth Client Credentials instead; WebAuthn is designed for human presence verification
- • Simple MFA via TOTP codes — WebAuthn is significantly more complex to implement; use TOTP (RFC 6238) if phishing resistance is not a hard requirement
Interface
Authentication
WebAuthn is an authentication standard. Server-side verification libraries (py_webauthn, SimpleWebAuthn, webauthn4j) are open-source with no auth requirements. Managed FIDO2 services (Hanko, Passage) use their own API keys.
Pricing
The WebAuthn standard and FIDO2 spec are free and open. Open-source server libraries (py_webauthn MIT, SimpleWebAuthn MIT) are free. Costs arise only if using a managed passkey service.
Agent Metadata
Known Gotchas
- ⚠ rpID (Relying Party ID) must exactly match the effective domain of the page — including subdomains — or the browser silently blocks the ceremony; always derive rpID from window.location.hostname at runtime
- ⚠ Challenge must be cryptographically random and single-use; storing challenges in an in-memory map without expiry enables replay attacks — always expire challenges (e.g., 5-minute TTL) server-side
- ⚠ Signature counter validation: if the stored counter equals or exceeds the authenticator's counter, reject the assertion as a potential credential clone — many implementations skip this check
- ⚠ CBOR encoding of authenticatorData must be parsed server-side (not JSON); libraries that incorrectly decode AAGUID or attestation formats will silently corrupt credential storage
- ⚠ Cross-device (hybrid) flows using QR codes require BLE and the CTAP2 hybrid transport; server-side code does not change but the UX flow is entirely different and fails silently if the platform does not support caBLE
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Web Authentication API (WebAuthn / FIDO2 / Passkeys).
Scores are editorial opinions as of 2026-03-06.