What “WebAuthn” Is and How It Might Replace Passwords

Are you not a fan of passwords? Perhaps you find it tricky to remember them all, or you dislike the idea that every site is one data breach away from leaking your login information onto the Internet. Recently, there’s been a development in WebAuthn that may make logging onto websites much easier. If successful, this new standard may be a great backup second authentication method or even take over passwords entirely!

What Is “WebAuthn”?


Have you ever used a phone or laptop that had the capability to scan a fingerprint? You can use the scanner to replace the password login for your device, so you don’t have to type anything. In a way, WebAuthn is like that, only to log into websites instead of a device.

Let’s say you want to log onto a website. It supports WebAuthn as a verification method, so you decide to use it. When you go to sign up, you can add WebAuthn credentials to the account. These credentials can range from a PIN, to a biometric scan (such as a fingerprint), to a USB key dongle.

Despite the fact this technology is very new, there are already a few ways you can validate yourself via WebAuthn. Yubikey is compatible with WebAuthn, so you can use it to validate yourself by plugging it into a USB port when signing up. If you own a phone with a biometric scan, you could use that as your validation device when logging onto sites.

Once you’ve registered a device with the site, you can then use your designated login method in the future. For instance, if you used the mobile phone example above, you’ll go to the login page of the site, and your phone will ask you for your biometric scan to confirm who you are.

WebAuthn can be used in conjunction with a regular password as part of two-factor authorisation, but if this technology takes off, there’s nothing to say it can’t become the primary method of logging on and replacing passwords altogether.

How Does It Beat Passwords?


The main forte of using WebAuthn to log on is that it shuts down phishing attempts. Users can have their passwords stolen by fake websites and scam emails, but this isn’t the case with WebAuthn. Biometric scans, for instance, are much harder to “steal” than a password.

Due to how WebAuthn works, websites that use WebAuthn don’t see any of the data used to verify the user; they just see a confirmation  that the user is who they say they are. This means people can’t harvest sensitive data (such as biometric scans) from a WebAuthn login process and use it to impersonate others.

Will It Replace Passwords?


WebAuthn has the potential to fully replace passwords, but it’s definitely not a guarantee, nor something that will happen overnight. The reason WebAuthn has hit the news lately is because the technology is reaching the final stages of finalization. Firefox and Chrome both support WebAuthn, which means that websites can now use this technology if they wish.

This is the phase where public interest comes into play. If developers think WebAuthn is a waste of time, especially the ones doing work for the big sites such as Amazon, it won’t be implemented, and WebAuthn will die out. Similarly, if it is implemented and nobody uses it, it may not gain enough traction to stay relevant. Even if it’s implemented and well used, it may take some time before it fully replaces passwords.

Open Sesame

With so many phishing attacks and database leaks in the modern day, a change of security measures might be a breath of fresh air. WebAuthn may be that revolution by either acting as a second wall of security or even replacing passwords altogether!

Do you want WebAuthn to take over for the traditional password? Or is it too much hassle? Let us know below!

Simon Batt Simon Batt

Simon Batt is a Computer Science graduate with a passion for cybersecurity.


  1. “This means people can’t harvest sensitive data ”
    As of YET! WebAuthn was invented and a way to hack it will be invented.

  2. I will never allow mass media to use any of my bio-metrics for password authentication. You, the author, are making this solution seem like a normal method of proof to let users trust their personal information, banking and investment information on the internet.

    The difference here is that this time if hackers get your bio-metric information they can forge the authenticity of “you” to very highest levels of conviction – start a new credit card, log into your bank account, take over the ownership deed of real property, forge your identity etc.
    Once this signing authority is stolen, there is no way you can ever get it back. You can’t ever change your finger prints or your retinal scan to prove you are really who you say you are. You can’t hire an identity theft company to recover your internet security like it currently can.

    This is so serious and yet people don’t get how bio-metrics are so dangerous to use. Every time you use bio-metrics to log in on any device anywhere in the world, the big database in the sky adds a little more information to finish off the total puzzle of your identity, beyond your reach to retrieve, for good or for bad.

    Just Say No Thanks.

  3. Yea, it’s a keen idea, but it has a fatal flaw. Say everyone starts using this and it becomes ubiquitous. That would mean that now, along with relying on AWS and Google cloud servers to house and protect your data, you are also going to be depending on a central site to send your credentials to every service you need to access. Is it just me, or is anyone else getting nervous about the growing dependency we keep putting on our connection to the ‘web’ no matter where we are located to provide even the most basic functions–like unlocking the door or accessing your money (online bank) or getting med records. What do you do when one of those cross-connected services goes down or suffers a connectivity problem. We are building a system that’s guaranteed to fail at some point.

    1. +1 on this. Having a cross-site authentication and authorization mechanism could be very useful. But it needs to be multi-hosted. Meaning the protocol would be a standard which multiple actors could implement. So I could, for example, use my Google account, my Verizon cellphone, the RSA key I have for work, or a Yubikey, for the same sites. And I could maintain redundant authenticators so if Google or Yubikey goes belly-up or there is a connectivity issue, I could quickly switch to another.

  4. Biometrics may be harder to steal, but once they are, they’re gone. I can always come up with a different password. I only have a finite number of fingerprints. If one becomes invalidated because it is stolen, sooner or later I’m going to run out.

  5. “Do you want WebAuthn to take over for the traditional password?”
    As others have already pointed, there is an infinite number of passwords but a very finite number of biometrics. WebAuthn sounds great in theory but in practice its pitfalls outweigh the advantages by a large margin. Any security measure/method that limits your options (and WebAuthn defintely does that) is a stupid idea and should be eliminated yesterday, if not sooner.

    “if it is implemented and nobody uses it”
    Unfortunately, there is very little chance of that happening, UNLESS common sense prevails. But, as we all know, common sense ain’t so common. WebAuthn will spread like wildfire, once it is available to any and all users. It will spread like the plague because it offers convenience. Just think, no more using a different password for each site! You can use the same fingerprint or a retinal pattern for ALL your accounts! After all, who can spoof a fingerprint or a retinal pattern?! The very same people that would use their thumbprint for all their online accounts would never, ever think of using the same key for all their locks (home, vacation home, car, job, etc.)

Comments are closed.