LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

Across the three web authentication mechanisms — cookies/passwords, OAuth/OIDC, and WebAuthn — where does the user's authentication "secret" live, and why does that make WebAuthn the most breach-resistant?

Cookies/passwords store a reusable secret on the server; OAuth centralizes it at an identity provider; WebAuthn stores only a public key server-side while the private key never leaves the user's device.

Cookie/password (server stores hashes), OAuth (risk at the IdP), WebAuthn (server stores only a public key).

* Where the secret lives per mechanism: WebAuthn stores only a useless-to-steal public key. *

First, separate two different things — because at the end of a login all three mechanisms hand the browser a session cookie (a random Session Identifier the browser resends to stay logged in). That post-login cookie is not the point here. The point is the authentication secret — the thing you prove identity with at login (the password, or the WebAuthn private key). The comparison below is about where that authentication secret lives, not about the session cookie every scheme issues afterward.

Mechanism The authentication secret is... What the server stores Impact of a server breach
Cookie / password a password the user types password hashes (+ live session cookies) hashes can be cracked; sessions hijacked
OAuth / OIDC a password held at the identity provider (IdP) trust in the IdP; no user password of its own the app's store leaks little, but risk concentrates at the IdP
WebAuthn a private key sealed in the user's device only the user's public key (+ a session cookie after login) useless to an attacker — public keys are meant to be public

So all three end up issuing a session cookie; what differs is where the secret you authenticate with sits — on the server (password hash), at the IdP, or never leaving the device (private key). WebAuthn's design goal — never transmit or store a shared secret — is precisely why a database leak doesn't hand attackers a way to log in. There's simply no secret on the server to steal.

Tip: When comparing auth schemes, always ask "what does the server have to keep safe, and what happens if it leaks?" WebAuthn's answer ("a public key — so, nothing sensitive") is its strongest selling point.

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: Jul 14, 2026