Quiz Entry - updated: 2026.07.05
What are the key advantages and disadvantages of WebAuthn compared with passwords?
Advantages: phishing-resistant, no shared secret to steal, great login experience. Disadvantages: hardware dependency and portability/integration challenges.
Weighing it up against passwords and cookies:
Advantages
- Security — no shared secret transmitted or stored; the private key never leaves the device; origin-binding makes it phishing-resistant; a server breach leaks only public keys.
- Login experience — unlock with a quick PIN/biometric; no password to remember or type.
Disadvantages
- Portability — a platform credential is tied to one device; losing the device (without a backup/passkey sync or a second authenticator) can lock you out.
- Integration — requires compatible hardware (TPM/security key) and software support; historically uneven across browsers/OSes (using the Windows TPM typically requires Edge).
Tip: "Account recovery" is WebAuthn's thorniest real-world problem — register a second authenticator (e.g. a backup security key) or use synced passkeys so you're not locked out if one device is lost.
Go deeper:
NIST SP 800-63B — Phishing resistance — defines phishing resistance and addresses syncable authenticators, framing WebAuthn's pros and cons.