Web Authentication:
An API for accessing Public Key Credentials
Level 2

W3C Recommendation, 8 April 2021

This version:: https://www.w3.org/TR/2021/REC-webauthn-2-20210408/
Latest published version:: https://www.w3.org/TR/webauthn-2/
Editor's Draft:: https://w3c.github.io/webauthn/
Previous Versions:: https://www.w3.org/TR/2021/PR-webauthn-2-20210225/; https://www.w3.org/TR/2020/CR-webauthn-2-20201222/; https://www.w3.org/TR/2020/WD-webauthn-2-20201216/; https://www.w3.org/TR/2020/WD-webauthn-2-20201116/; https://www.w3.org/TR/2020/WD-webauthn-2-20200730/; https://www.w3.org/TR/2019/WD-webauthn-2-20191126/; https://www.w3.org/TR/2019/WD-webauthn-2-20190604/; https://www.w3.org/TR/2019/REC-webauthn-1-20190304/
Implementation Report:: https://www.w3.org/2020/12/webauthn-report.html
Issue Tracking:: GitHub
Editors:: Jeff Hodges (Google); J.C. Jones (Mozilla); Michael B. Jones (Microsoft); Akshay Kumar (Microsoft); Emil Lundberg (Yubico)
Former Editors:: Dirk Balfanz (Google); Vijay Bharadwaj (Microsoft); Arnar Birgisson (Google); Alexei Czeskis (Google); Hubert Le Van Gong (PayPal); Angelo Liao (Microsoft); Rolf Lindemann (Nok Nok Labs)
Contributors:: John Bradley (Yubico); Christiaan Brand (Google); Adam Langley (Google); Giridhar Mandyam (Qualcomm); Nina Satragno (Google); Nick Steele (Gemini); Jiewen Tan (Apple); Shane Weeden (IBM); Mike West (Google); Jeffrey Yasskin (Google)
Tests:: web-platform-tests webauthn/ (ongoing work)

Please check the errata for any errors or issues reported since publication.

Abstract

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given WebAuthn Relying Party, are created by and bound to authenticators as requested by the web application. The user agent mediates access to authenticators and their public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to Relying Parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.

Status of this document

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.

This document was published by the Web Authentication Working Group as a Recommendation.

Feedback and comments on this specification are welcome. Please use Github issues. Discussions may also be found in the public-webauthn@w3.org archives.

A W3C Recommendation is a specification that, after extensive consensus-building, has received the endorsement of the W3C and its Members. W3C recommends the wide deployment of this specification as a standard for the Web.

This document has been reviewed by W3C Members, by software developers, and by other W3C groups and interested parties, and is endorsed by the Director as a W3C Recommendation. It is a stable document and may be used as reference material or cited from another document. W3C's role in making the Recommendation is to draw attention to the specification and to promote its widespread deployment. This enhances the functionality and interoperability of the Web.

This document was produced by a group operating under the 1 August 2017 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document is governed by the 15 September 2020 W3C Process Document.

1. Introduction

This section is not normative.

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. A public key credential is created and stored by a WebAuthn Authenticator at the behest of a WebAuthn Relying Party, subject to user consent. Subsequently, the public key credential can only be accessed by origins belonging to that Relying Party. This scoping is enforced jointly by conforming User Agents and authenticators. Additionally, privacy across Relying Parties is maintained; Relying Parties are not able to detect any properties, or even the existence, of credentials scoped to other Relying Parties.

Relying Parties employ the Web Authentication API during two distinct, but related, ceremonies involving a user. The first is Registration, where a public key credential is created on an authenticator, and scoped to a