Glossary¶
- attestation¶
A proof that an authenticator (like a security key or device used for Passkeys) is genuine and from a trusted source. It helps verify that a Passkey was created and stored securely. Applications can use attestation to allow only specific authenticators.
- authenticator¶
An authenticator is a software or hardware implementation of the client side of the Web Authentication standard. It manages the cryptographic parts of the process. When a user registers or logs in with a credential, the browser usually presents several authenticator options. Common examples include Chrome Password Manager, a USB key, iCloud Keychain, or a smartphone.
- country code top-level domain (ccTLD)¶
A specific type of top-level domain (TLD) that is associated with a particular country or territory. It consists of two letters and is used to identify websites related to that country. For example, “.uk” for the United Kingdom or “.de” for Germany.
- credential ID¶
A unique identifier generated by the authenticator when creating a WebAuthn credential. Credential ID consists of a random sequence of bytes and is used in negotiations between the browser and the server.
- cryptography¶
The practice of securing data through encryption and digital signatures. In the context of WebAuthn, cryptography ensures that authentication is secure and resistant to attacks.
- key pair¶
A public-private pair of cryptographic keys used for secure communication and authentication. The public key can be shared freely, while the private key is kept secret and used to decrypt data or create a digital signature.
The two keys are mathematically linked. So data encrypted with the public key can only be decrypted by the corresponding private key, and vice versa. This ensures secure interactions without needing to share the private key.
- passkey/discoverable credential¶
A type of WebAuthn credential that supports passwordless logins in scenarios where the server has not first identified the user and has not provided the web browser with credential IDs.
While passkeys are WebAuthn credentials, WebAuthn credentials are not always passkeys.
- private key¶
A cryptographic key that is kept secret by the owner. It’s used to decrypt data or create a digital signature.
- public key¶
A cryptographic key that can be shared with anyone. It’s used to encrypt data or verify a digital signature.
- relying party¶
The entity that relies on the Web Authentication standard to authenticate users. This refers to you, as you are using Web Authentication to authenticate your users.
- relying party ID (rpID)¶
The domain of the website or service where a passkey can be used, without including protocol, port, or path. For example,
acbde.com. It ties the passkey to a specific domain to prevent phishing. Subdomains match a parent rpID, but not the other way around. The rpID is included in WebAuthn login requests and verified by the browser against the current page’s origin.- resident key¶
An alternative term for a for a passkey or resident key. It refers to a WebAuthn credential that allows authentication without the server providing credential IDs.
- second-factor authentication¶
The second stage in a two-factor authentication process, where a user provides identification through a biometric sensor, PIN, or pattern.
- two-factor authentication¶
An authentication policy that requires a user to present two proofs of identity. The first is usually a password and the second is frequently tied to some physical device in the user’s possession.
- Web Authentication¶
An open web standard developed by the World Wide Web Consortium (W3C). It describes an authentication standard that lets websites to negotiate the creation of public-key-based credentials with a browser.
- WebAuthn¶
A shorthand term for the Web Authentication standard. In this package, some classes include WebAuthn in their names, but the term itself refers to the broader web authentication standard.
- WebAuthn credential¶
A term defined in the Web Authentication specification. It’s a key-based credential generated during a WebAuthn registration process, consisting of a public-private key pair. The private key is securely stored on the user’s device, while the public key is stored on the server for verifying future authentications.
This should not be confused with the WebAuthnCredential model, which only stores the public key and associated metadata.