What problem with passwords is WebAuthn designed to solve, and how does it fundamentally differ from password login?
WebAuthn replaces the shared-secret password with public-key cryptography, so there is no password to phish, reuse, guess, or steal from a server breach.
As of the FS26 source, passwords were still the most common login method despite glaring weaknesses — "123456" and "password" remained among the most-used at that time. Their core flaw is that they're a shared secret: the same value the user types is stored (hopefully hashed) on the server, and it can be:
- phished (typed into a fake site),
- reused across sites,
- leaked in a server breach.
WebAuthn flips this: the user's device generates a key pair. The private key never leaves the device; only the public key goes to the website. Logging in means signing a server-issued challenge with the private key. Since the secret is never transmitted or shared:
- there's nothing to phish (a fake site gets, at most, a useless signature bound to the wrong origin),
- nothing reusable to steal from the server (a public key is, by definition, public).
Tip: This is the technology behind passkeys — the consumer-friendly branding of WebAuthn/FIDO2 credentials.
Go deeper:
webauthn.guide — a clear, friendly walkthrough of how public-key authentication replaces the password.
W3C Web Authentication API (Level 2) — the authoritative standard behind WebAuthn.
Wikipedia: WebAuthn — overview with registration/authentication flow diagrams.
webauthn.io — Duo Labs' live demo: register and log in with a passkey in your own browser to see the challenge–signature flow first-hand.