LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What problem with passwords is WebAuthn designed to solve, and how does it fundamentally differ from password login?

WebAuthn replaces the shared-secret password with public-key cryptography, so there is no password to phish, reuse, guess, or steal from a server breach.

As of the FS26 source, passwords were still the most common login method despite glaring weaknesses — "123456" and "password" remained among the most-used at that time. Their core flaw is that they're a shared secret: the same value the user types is stored (hopefully hashed) on the server, and it can be:

  • phished (typed into a fake site),
  • reused across sites,
  • leaked in a server breach.

WebAuthn flips this: the user's device generates a key pair. The private key never leaves the device; only the public key goes to the website. Logging in means signing a server-issued challenge with the private key. Since the secret is never transmitted or shared:

  • there's nothing to phish (a fake site gets, at most, a useless signature bound to the wrong origin),
  • nothing reusable to steal from the server (a public key is, by definition, public).

Tip: This is the technology behind passkeys — the consumer-friendly branding of WebAuthn/FIDO2 credentials.

Go deeper:

  • doc webauthn.guide — a clear, friendly walkthrough of how public-key authentication replaces the password.
  • doc W3C Web Authentication API (Level 2) — the authoritative standard behind WebAuthn.
  • doc Wikipedia: WebAuthn — overview with registration/authentication flow diagrams.
  • tool webauthn.io — Duo Labs' live demo: register and log in with a passkey in your own browser to see the challenge–signature flow first-hand.

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: Jul 05, 2026