Last updated: March 15, 2026
Standard Protocol Layer User Interaction Device Requirement Cross-Device
WebAuthn Browser API specification Browser-mediated auth Any authenticator Via API calls
FIDO2 Full framework (WebAuthn + CTAP) Hardware key tap/biometric FIDO2 security key Via roaming keys
Passkey FIDO2 with cloud sync Biometric or PIN Phone/laptop built-in Cloud-synced across devices
FIDO U2F (legacy) Second-factor only Key tap after password U2F security key Physical key only
TOTP Time-based codes Manual code entry Authenticator app Via app sync/backup

WebAuthn is the browser API for passwordless login, FIDO2 is the full protocol suite (WebAuthn plus the CTAP standard for communicating with hardware authenticators), and passkeys are the consumer-facing product built on FIDO2 that adds cross-device sync through iCloud Keychain, Google Password Manager, or Windows Hello. If you are a developer implementing passwordless auth, you work with the WebAuthn API; FIDO2 defines the underlying cryptographic protocol; and passkeys are what your end users actually interact with.

Table of Contents

What Is WebAuthn?

WebAuthn is a web API standard developed by the World Wide Web Consortium (W3C) that enables web applications to use public-key cryptography for authentication. Launched in 2018, WebAuthn provides a standardized JavaScript API that browsers expose to web applications.

The WebAuthn API allows servers to register and authenticate users using authenticators, devices like security keys, smartphones, or platform-specific biometric systems. When a user registers, the authenticator generates a public-private key pair. The private key remains on the device, while the public key gets sent to the server.

A basic WebAuthn registration looks like this in JavaScript:

const publicKeyCredentialCreationOptions = {
 challenge: new Uint8Array([/* server-provided challenge */]),
 rp: {
 name: "Your Application",
 id: "yourdomain.com"
 },
 user: {
 id: new Uint8Array([/* user ID bytes */]),
 name: "username",
 displayName: "User Name"
 },
 pubKeyCredParams: [
 { type: "public-key", alg: -7 }, // ES256
 { type: "public-key", alg: -257 } // RS256
 ],
 authenticatorSelection: {
 authenticatorAttachment: "platform",
 requireResidentKey: true,
 userVerification: "preferred"
 }
};

const credential = await navigator.credentials.create({
 publicKey: publicKeyCredentialCreationOptions
});

This code creates a credential on a platform authenticator (like Windows Hello or Touch ID). The returned credential object contains the public key that your server stores for future authentication attempts.

What Is FIDO2?

FIDO2 is a set of specifications published by the FIDO Alliance that enables passwordless authentication. It consists of two components: the Client-to-Authenticator Protocol (CTAP) and WebAuthn.

CTAP defines how clients (browsers, operating systems) communicate with external authenticators. CTAP1 (or U2F) was the original FIDO standard using only attestation certificates. CTAP2 introduced resident keys, allowing authenticators to store multiple credentials.

The FIDO2 architecture has three parties:

  1. Relying Party - The web server that wants to authenticate users
  2. Client - The browser or platform that implements WebAuthn
  3. Authenticator - The device that creates and stores cryptographic keys

FIDO2 requires that authenticators use hardware-backed key storage. This means the private keys never leave the authenticator in a form that any other device can access. Even if a server is compromised, attackers cannot steal usable credentials because they would need physical access to the user’s authenticator.

FIDO2 also supports attestation, cryptographic statements that verify the authenticator’s make and model. This lets servers make informed decisions about which authenticators they accept:

// Server-side verification of attestation
const attestationStatement = credential.response.attestationStatement;
const attestationTrustPath = verifyAttestation(attestationStatement, clientDataHash);

// Different relying parties may accept different authenticator types
const acceptedAttestationFormats = ['packed', 'fido-u2f', 'none'];

What Are Passkeys?

Passkeys are a consumer-facing implementation of FIDO2 credentials, promoted by Apple, Google, and Microsoft through the FIDO Alliance. While FIDO2 and WebAuthn are technical standards, passkeys represent how those standards reach end users.

When you create a passkey on your iPhone, it syncs through iCloud Keychain. On Android, it syncs through Google Password Manager. This sync capability is not part of the FIDO2 specification, it is an extension added by the major platform vendors.

Passkeys solve a key problem with hardware security keys: portability. With traditional FIDO2 authenticators, if you lose your YubiKey, you lose access to your accounts. Passkeys sync across devices, providing the same phishing resistance without the single-point-of-failure risk.

Three features distinguish passkeys from generic FIDO2 credentials:

  1. Cross-device sync - Credentials flow between your devices automatically
  2. Discoverable credentials - The authenticator can find the right credential without the server providing a credential ID
  3. Platform integration - Operating systems present native UI for passkey creation and use

How They Connect

The relationship is straightforward: WebAuthn is the web API, FIDO2 is the protocol suite (including CTAP), and passkeys are the consumer product built on top of FIDO2.

When you use a passkey on a website, the following happens:

  1. The website calls the WebAuthn API (navigator.credentials.get())
  2. The browser communicates with the platform’s passkey provider (iCloud Keychain, Google Password Manager, Windows Hello)
  3. The provider uses FIDO2 CTAP commands to access the credential
  4. The authenticator signs an authentication assertion using the stored private key
  5. The server verifies the signature using the registered public key

This chain of standards means any passkey implementation works with any WebAuthn-enabled website. A passkey created on iOS will work on Chrome for Linux, provided both platforms support the relevant specifications.

Practical Considerations for Developers

Implementing WebAuthn requires server-side changes beyond simple password authentication. Your server must:

For most developers, using a library like SimpleWebAuthn or Authelia saves significant implementation time:

// Server-side with SimpleWebAuthn
const { verifyRegistrationResponse } = require('@simplewebauthn/server');

const verification = await verifyRegistrationResponse({
 response: credential,
 expectedChallenge: savedChallenge,
 expectedOrigin: 'https://yourdomain.com',
 expectedRPID: 'yourdomain.com'
});

if (verification.verified) {
 // Save credential.publicKey and credential.id to your database
 await saveCredential(userId, verification.registrationInfo);
}

The key decision point is whether to require attestation. Attestation lets you enforce hardware security key requirements, but it complicates implementation and may frustrate users who just want to use their phone.

Platform Implementation Differences

Each major platform implements passkeys differently, affecting developer complexity:

iOS (Apple)

Android (Google)

Windows (Microsoft)

Mac (Apple)

Linux

Resident vs Non-Resident Keys

A critical distinction affecting deployment:

Non-Resident Keys (traditional FIDO2)

Resident Keys (required for passkeys)

For developers, this means:

If using non-resident keys, store credential IDs in your database and send them during authentication:

const credentialIds = await getCredentialIDsForUser(userId);

const publicKeyCredentialRequestOptions = {
 challenge: challengeFromServer,
 allowCredentials: credentialIds.map(id => ({
 id: id,
 type: "public-key",
 transports: ["usb", "ble", "nfc", "internal"]
 })),
 userVerification: "preferred"
};

If using resident keys (passkeys), let the authenticator decide which credentials to return:

const publicKeyCredentialRequestOptions = {
 challenge: challengeFromServer,
 allowCredentials: [], // Empty, authenticator decides
 userVerification: "preferred"
};

Attestation Object Handling

Attestation objects contain cryptographic proof about the authenticator, but handling them requires careful consideration:

// Verifying attestation during registration
const attestationVerified = verifyAttestationStatement(
 credential.response.attestationObject,
 credential.response.clientDataJSON
);

// Attestation formats include:
// - "packed": Discrete tokens (YubiKey, Titan)
// - "fido-u2f": FIDO U2F format (backwards compatibility)
// - "android-safetynet": Android device attestation
// - "none": Self-signed (browser-based authenticators)

// Most applications accept "none" attestation
// But you can require specific formats:
const acceptedFormats = ["packed", "fido-u2f"];
if (!acceptedFormats.includes(attestationObject.fmt)) {
 throw new Error("Attestation format not accepted");
}

Organizations with strong security requirements use attestation to enforce specific hardware. For example, banks might require only certified hardware security keys. Consumer applications typically accept any attestation format including “none.”

Migration Strategies from Passwords

Moving existing users to passwordless authentication requires thoughtful planning:

Phase 1 - Add passkey registration alongside password login

Phase 2 - Require passkey + password

Phase 3 - Passkey primary, password secondary

Phase 4 - Passwordless only

This multi-phase approach prevents user frustration and account lockouts.

Recovery and Account Access

Passwordless authentication creates recovery challenges. Without passwords, what happens if a user loses access to their biometric device?

Recovery Options:

  1. Backup passkeys: Users can create backup passkeys on secondary devices during enrollment
  2. Recovery codes: Generate one-time use codes (like 2FA backup codes) during passkey setup
  3. Email recovery: Send recovery codes to verified email address
  4. Administrative recovery: Support team can verify identity and reset authentication

Most applications combine multiple recovery methods. For example: backup codes + email recovery.

Implement recovery carefully, weak recovery mechanisms make the authentication useless, while overly lenient recovery allows account takeover.

Phishing Resistance and Threat Model

The core advantage of passkeys is phishing resistance. A passkey never authenticates to a phishing site because the authenticator verifies the site’s origin before signing:

// During WebAuthn authentication
// The authenticator checks: Does this origin match
// the origin stored in my credential?

// Phishing scenario:
// User tries to login at phishing.site
// But credential was registered for legitimate.site
// Authenticator rejects authentication request
// No credential is sent to phishing site

This property (origin binding) is WebAuthn’s strongest security property. Even sophisticated phishing attacks cannot bypass it.

However, this assumes:

For maximum security, combine with:

Standards Roadmap for 2026 and Beyond

The passwordless authentication field continues evolving:

Conditional UI - Native Android and iOS support for passkey auto-fill without explicit user interaction. This improves UX while maintaining security.

Cross-Origin Mediation - Allow users to authenticate across different domains using the same passkey. Still being standardized but will improve single-sign-on experiences.

Multi-Device Flows - Authenticate on one device using another device’s passkey (cross-device authentication). Useful when primary device is unavailable.

Batch Operations - Register/update multiple credentials in single flows, improving UX for managing multiple accounts.

Developers implementing WebAuthn/FIDO2 in 2026 should monitor these developments and plan for eventual migration when standards stabilize.

Frequently Asked Questions

Can I use the first tool and the second tool together?

Yes, many users run both tools simultaneously. the first tool and the second tool serve different strengths, so combining them can cover more use cases than relying on either one alone. Start with whichever matches your most frequent task, then add the other when you hit its limits.

Which is better for beginners, the first tool or the second tool?

It depends on your background. the first tool tends to work well if you prefer a guided experience, while the second tool gives more control for users comfortable with configuration. Try the free tier or trial of each before committing to a paid plan.

Is the first tool or the second tool more expensive?

Pricing varies by tier and usage patterns. Both offer free or trial options to start. Check their current pricing pages for the latest plans, since AI tool pricing changes frequently. Factor in your actual usage volume when comparing costs.

Can AI-generated tests replace manual test writing entirely?

Not yet. AI tools generate useful test scaffolding and catch common patterns, but they often miss edge cases specific to your business logic. Use AI-generated tests as a starting point, then add cases that cover your unique requirements and failure modes.

What happens to my data when using the first tool or the second tool?

Review each tool’s privacy policy and terms of service carefully. Most AI tools process your input on their servers, and policies on data retention and training usage vary. If you work with sensitive or proprietary content, look for options to opt out of data collection or use enterprise tiers with stronger privacy guarantees.

Related Articles