Quiz Entry - updated: 2026.07.14
Does WebAuthn replace OAuth 2.0? How do their purposes differ?
No — they solve different problems. WebAuthn handles authentication (proving who you are at login); OAuth handles authorization (delegating access to APIs/resources).
They are complementary, not competing:
| WebAuthn | OAuth 2.0 | |
|---|---|---|
| Solves | Authentication — replace the password at login | Authorization — let an app access resources on your behalf |
| Replaces | the password/credential step | nothing about how you prove identity |
| Typical use | logging in to a site with a passkey instead of a password | "allow this app to read your calendar/profile" |
The part of the login experience WebAuthn replaces is the password-based authentication of the user. You could absolutely use both: WebAuthn (often via OIDC) to authenticate the user at the identity provider, and OAuth to then authorize an app's API access.
Tip: OAuth's authentication layer is OIDC — and that authentication can itself be performed with WebAuthn. They stack rather than replace.