WebAuthn

[4] The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography.

The underlying cryptographic operations are performed by an authenticator, which is an abstract functional model that is mostly agnostic with respect to how the key material is managed.

Sensitive cryptographic operations can also be offloaded to a roaming hardware authenticator that can in turn be accessed via USB, Bluetooth Low Energy, or near-field communications (NFC).

[7] Like legacy U2F, Web Authentication is resilient to verifier impersonation; that is, it is resistant to phishing attacks,[8] but unlike U2F, WebAuthn does not require a traditional password.

[9] Moreover, a roaming hardware authenticator is resistant to malware since the private key material is at no time accessible to software running on the host machine.

In multi-factor mode, the authenticator is activated by a test of user presence, which usually consists of a simple button push; no password is required.

[18] The illustrated flow relies on PIN-based user verification, which, in terms of usability, is only a modest improvement over ordinary password authentication.

How the WebAuthn Relying Party obtains its store of trusted attestation public keys is unspecified.

The WebAuthn Level 1 standard was published as a W3C Recommendation by the Web Authentication Working Group on 4 March 2019.

[1][10][23] WebAuthn is supported by Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari[10] and Opera.

The first Security Level 2 certified FIDO2 key, called "Goldengate" was announced one year later by eWBM on 8 April 2019.

The Web Authentication API[34][35] extends the Credential Management navigator.credentials.create() and navigator.credentials.get() JavaScript methods so they accept a publicKey parameter.

[36] The main points of criticism revolve around two potential issues that were problematic in other cryptographic systems in the past and therefore should be avoided in order to not fall victim to the same class of attacks: Paragon Initiative Enterprises also criticized how the standard was initially developed, as the proposal was not made public in advance and experienced cryptographers were not asked for suggestions and feedback.

Avoiding such mistakes as early as possible would protect the industry from any challenges that are introduced by broken standards and the need for backwards compatibility.

I have been using public key cryptography for 30-plus years...If I find passkeys confusing to use, it doesn’t bode well for more typical users.

A typical Web Authentication (WebAuthn) flow
Example of WebAuthn implementation ( Bitwarden for Pixiv )