LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the three parties in the WebAuthn model, and what does each do?

The User Agent (browser), the Relying Party (the website you log into), and the Authenticator (the device holding the keys, e.g. a TPM chip or YubiKey).

WebAuthn (a W3C standard published March 2019) coordinates three roles:

Party What it is Role
User Agent the browser Mediates via the navigator.credentials API; relays data between the other two
Relying Party the web application (e.g. an online shop) Wants to authenticate the user; stores the user's public key
Authenticator TPM chip, YubiKey, smartphone, … Generates and guards the private key; performs the signing

The browser is the untrusted middleman — it never sees the private key. It just shuttles the challenge to the authenticator and the signature back to the relying party.

Tip: "Relying Party" = the party that relies on the authenticator's proof. It's the same term used in OAuth/OIDC federation, so it shows up across this whole topic.

Go deeper:

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: Jul 14, 2026