WebAuthn (Web Authentication API) is a modern security specification developed by the W3C and FIDO to replace traditional password-based logins with public key cryptography. It allows users to authenticate to websites using secure authenticators built into their devices (like Touch ID or Windows Hello) or external hardware keys.

The principal functionalities and characteristics of WebAuthn include:

1. Public Key Cryptography Model

• No Shared Secrets: Unlike passwords, WebAuthn does not send secret data to the server. Instead, it uses a private-public keypair.

• Secure Storage: The private key is stored securely on the user's device, while only the public key is sent to the server.

• Reduced Database Risk: Because servers only store public keys—which are useless to hackers without the corresponding private key—databases become far less attractive targets for breaches.

2. Enhanced Security Protections

• Anti-Phishing (Scoped): Credentials are tied to a specific "origin" (domain). A key registered for one site cannot be used on a fraudulent site, effectively mitigating phishing attacks.

• Replay Attack Prevention: Every registration and authentication event requires a cryptographically random challenge from the server to ensure the transaction is unique and current.

• Attestation: Authenticators can provide certificates to prove to the server that the public key originated from a trusted, legitimate hardware source rather than a fraudulent one.

3. Registration and Authentication Flows

• Registration: The server initiates a credential creation request (navigator.credentials.create()), prompting the user's device to generate a new keypair and return the public key and metadata for storage.

• Authentication (Assertion): To sign in, the user provides an "assertion" (navigator.credentials.get()). This proves they possess the private key by generating a cryptographic signature that the server verifies using the previously stored public key.

4. Broad Compatibility and Standards

• FIDO2 Framework: WebAuthn is a core part of the FIDO2 framework, enabling passwordless communication between browsers, servers, and authenticators.

• Device Integration: It supports both platform authenticators (built into the OS/hardware) and cross-platform authenticators (external roaming keys like YubiKeys).

• Wide Browser Support: The API is supported across major browsers, including Chrome, Firefox, Edge, and Safari.