Why Developers Should Care

Security and product wins

No shared secret to steal from your database.
Private keys stay on the authenticator.
Login is bound to the site identity, not just a UI that looks convincing.
Users approve with Face ID, Touch ID, Windows Hello, or a hardware key.

What changes in your app

The browser becomes part of the auth protocol.
Your server sends challenges and verifies signed responses.
Your domain setup matters because the RP ID is part of identity.
Recovery and fallback flows still matter for production.

Core Terms

Browser and standards

WebAuthn: the browser API behind navigator.credentials
FIDO2: the broader standard that includes WebAuthn
Authenticator: the device or security module holding the private key

Site identity

Relying Party (RP): your app or website
RP ID: the domain name used as the WebAuthn site identifier
Origin: the full scheme://host:port

Protocol pieces

Credential: the passkey, backed by a public/private key pair
Challenge: a random, server-generated nonce
Attestation: optional metadata about the authenticator at registration
Assertion: the signed proof returned during login