Skip to content
Longterm Wiki
Back

Web Authentication: An API for accessing Public Key Credentials - Level 2

web
w3.org·w3.org/TR/webauthn-2/

This is a W3C technical web standard for authentication, tangentially relevant to AI safety only in the context of securing AI systems or mitigating social engineering; the original tags (social-engineering, voice-cloning, deepfakes) suggest it was miscategorized in this knowledge base.

Metadata

Importance: 18/100standardreference

Summary

The W3C WebAuthn Level 2 specification defines a browser API for strong, phishing-resistant authentication using public key cryptography and hardware security keys or biometrics. It enables websites to replace or supplement passwords with cryptographic credentials bound to authenticator devices. This standard is a core component of the FIDO2 framework for passwordless and multi-factor authentication.

Key Points

  • Defines a JavaScript API allowing web applications to create and verify public key credentials stored on hardware authenticators or platform biometrics
  • Provides phishing resistance by binding credentials cryptographically to specific origins, preventing credential reuse across sites
  • Supports multiple authenticator types including roaming keys (USB/NFC/BLE) and platform authenticators (fingerprint/face recognition)
  • Reduces reliance on passwords, mitigating risks from phishing, credential stuffing, and social engineering attacks
  • Level 2 extends Level 1 with improved features like resident keys, user verification enhancements, and broader authenticator support

Cited by 1 page

PageTypeQuality
AI-Powered FraudRisk69.0

Cached Content Preview

HTTP 200Fetched Apr 9, 202698 KB
Web Authentication: An API for accessing Public Key Credentials - Level 2 
 
 
 
 

 
 
 
 
 
 
 This version:
 https://www.w3.org/TR/2021/REC-webauthn-2-20210408/ 
 Latest published version:
 https://www.w3.org/TR/webauthn-2/ 
 Editor's Draft:
 https://w3c.github.io/webauthn/ 
 Previous Versions:
 https://www.w3.org/TR/2021/PR-webauthn-2-20210225/ 
 https://www.w3.org/TR/2020/CR-webauthn-2-20201222/ 
 https://www.w3.org/TR/2020/WD-webauthn-2-20201216/ 
 https://www.w3.org/TR/2020/WD-webauthn-2-20201116/ 
 https://www.w3.org/TR/2020/WD-webauthn-2-20200730/ 
 https://www.w3.org/TR/2019/WD-webauthn-2-20191126/ 
 https://www.w3.org/TR/2019/WD-webauthn-2-20190604/ 
 https://www.w3.org/TR/2019/REC-webauthn-1-20190304/ 
 Implementation Report:
 https://www.w3.org/2020/12/webauthn-report.html 
 Issue Tracking:
 GitHub 
 Editors:
 Jeff Hodges ( Google )
 J.C. Jones ( Mozilla )
 Michael B. Jones ( Microsoft )
 Akshay Kumar ( Microsoft )
 Emil Lundberg ( Yubico )
 Former Editors:
 Dirk Balfanz ( Google )
 Vijay Bharadwaj ( Microsoft )
 Arnar Birgisson ( Google )
 Alexei Czeskis ( Google )
 Hubert Le Van Gong ( PayPal )
 Angelo Liao ( Microsoft )
 Rolf Lindemann ( Nok Nok Labs )
 Contributors:
 John Bradley (Yubico)
 Christiaan Brand (Google)
 Adam Langley (Google)
 Giridhar Mandyam (Qualcomm)
 Nina Satragno (Google)
 Nick Steele (Gemini)
 Jiewen Tan (Apple)
 Shane Weeden (IBM)
 Mike West (Google)
 Jeffrey Yasskin (Google)
 Tests:
 web-platform-tests webauthn/ ( ongoing work )
 
 Please check the errata for any errors or issues reported since publication.

 
 Copyright © 2021 W3C ® ( MIT , ERCIM , Keio , Beihang ). W3C liability , trademark and document use rules apply. 

 
 
 
 Abstract 

 This specification defines an API enabling the creation and use of strong, attested, scoped , public key-based

 credentials by web applications , for the purpose of strongly authenticating users. Conceptually, one or more public key
 credentials , each scoped to a given WebAuthn Relying Party , are created by and bound to authenticators as requested by the web application. The user agent mediates access to authenticators and their public
 key credentials in order to preserve user
 privacy. Authenticators are responsible for ensuring that no operation is performed without user consent . Authenticators provide cryptographic proof of their properties to Relying Parties via attestation . This
 specification also describes the functional model for WebAuthn conformant authenticators , including their signature and attestation functionality.

 
 Status of this document 

 
 
 
 This section describes the status of this document at the time of its publication. Other
 documents may supersede this document. A list of current
 W3C publications and the latest revision of this
 technical report can be found in the
 W3C technical
 reports index at https://www.w3.org/TR/. 
 

 
 This document was published by the Web Authentication Working Group 
 as a Recommendation.

 Feedback and c

... (truncated, 98 KB total)
Resource ID: ef2c27817118d105 | Stable ID: sid_5XtpWiiyL4