Definition
WebAuthn (Web Authentication) is a W3C standard (2019), co-developed with the FIDO Alliance under the name FIDO2, that lets a site request strong authentication using asymmetric cryptography.
The user proves their identity via an authenticator (a physical key, Touch ID, Windows Hello, Face ID), without ever entering a password. Passkeys are its evolution (2022+): WebAuthn credentials synced across devices via the manufacturer's cloud (iCloud Keychain, Google Password Manager) or cross-device by QR code — now the new mainstream authentication standard.
How it works
At registration, the authenticator generates a key pair specific to the site: the private key never leaves the secure element, and the public key is stored by the site. At sign-in, the site sends a challenge that the authenticator signs with the private key (after biometric unlocking), and the site verifies the signature.
The credential is bound to the domain (origin binding): a fake examp1e.com does not have the key, which makes phishing impossible.
The 3 key properties
- Phishing-proof: the credential only works on the correct domain.
- No shared secret: no password to steal, just public keys on the server side.
- Smooth UX: a Touch ID is enough, with no SMS or TOTP.
Authenticators
- Platform (built-in): Touch ID/Face ID, Windows Hello, Android biometrics — free, but historically tied to a device.
- Roaming (external): YubiKey, Titan Security Key, Feitian — portable and multi-device, but they have to be bought and carried.
Passkeys: the evolution
Passkeys sync credentials across devices (iCloud Keychain, Google Password Manager, Microsoft account), enable cross-device authentication via QR + Bluetooth, and are managed by password managers (1Password, Dashlane, Bitwarden). The upshot: no more lost credentials when changing phones.
Comparison
| Mechanism | Phishable? | Strength | UX |
|---|---|---|---|
| Password | Yes | Weak | Medium |
| SMS OTP | Yes (SIM swap) | Medium | Weak |
| TOTP | Yes (entry) | Medium | Medium |
| Push (bank app) | Partly | Medium | Good |
| WebAuthn / Passkeys | No | Strong | Excellent |
eIDAS level and SCA
WebAuthn easily reaches the Substantial level (a certified authenticator + local biometrics), and the High level with certified hardware (YubiKey FIPS) and face-to-face enrolment. For PSD2 SCA, it combines inherence (biometrics) and possession (the authenticator) — two factors in a single gesture. EU banks are adopting it gradually.
What WebAuthn / Passkeys do not solve
- Not identity: it proves ownership of the credential, not who you are (an initial KYC is still required).
- Not authorisation: just authentication, not OAuth scopes.
- Not theft of an unlocked device: mitigated by mandatory biometrics.
- Not universal: old browsers do not support it (a fallback is needed).
- Not remote KYC: opening an account still requires proving your identity (national eID card, EUDI Wallet).
What WebAuthn / Passkeys are not
- Not an identity wallet: an authentication key, not a container of attributes (vs the EUDI Wallet).
- Not a hashed password: it is asymmetric cryptography.
- Not a "biometric key": the biometrics never leave the device, they unlock the key locally.
- Not FIDO U2F: U2F was a second factor; FIDO2/WebAuthn enables passwordless authentication.
Within the PSD2 / Open Finance ecosystem
It is the natural evolution of SCA: growing adoption by banks (app and web portal), use on the TPP side for the back office, unlocking the EUDI Wallet, and integration into Click to Pay for a passwordless card checkout.
Real-world examples
- Apple ID, Google Account: passkeys-first since 2022-2023.
- GitHub: 2FA passkey widely adopted by developers.
- Boursobank, N26, Revolut: app login via passkeys / local biometrics.
- Click to Pay: an EMVCo standard based on WebAuthn for card-free checkout.
- France Identité: uses FIDO2-like credentials for local biometric authentication.
- SIM swap: the fraud that killed trust in SMS OTP — WebAuthn is its antidote.
- YubiKey: after rolling it out internally in 2017, Google eliminated phishing on its accounts.