WebAuthn enables the creation and use of strong public key-based credentials by web applications, for the purpose of authenticating users. Credentials are tied to a specific domain or origin when they are created and can only be used for that specific origin. The credentials are also bound to the device on which they were created. Most commonly, these credentials are based on biometrics information, using Face ID or Windows Hello, for example.

Benefits of WebAuthn

There's ample evidence to support that passwords are the internet's weakest link. Common mitigations to protect users and reduce account takeover (ATO), including two-factor authentication, require work for developers and friction for end-users. WebAuthn is a simple single-step alternative that cannot be brute-forced or phished.

WebAuthn Challenges (and how we help!)

WebAuthn-based authentication can be very complex to implement in practice, as the specification doesn't describe how to handle authentication across multiple devices. For example, you would traditionally login to a website with the same password on both your mobile phone and your laptop. However, with WebAuthn, you would need to register both your mobile phone's biometric device and your laptop's biometric device in order to login from either platform.

This is where we come in. Passage manages all of the complexity of registering new devices to deliver a seamless experience for your users. We've thought through a long list of edge cases and security concerns so you don't have to.

Currently, not all browsers support WebAuthn in the same way. Passage can seamlessly adjust to different user agents with no work on your part, and fall back to a different form of passwordless authentication in the event that a user's browser does not support WebAuthn at all.

Last updated