When it comes to WebAuthn, there’s certainly no shortage of acronyms or protocols. But what do they mean, and which ones do you need to care about? Fret not – both clarity and help are available! In this blog, we’ll share tips on how to implement WebAuthn, as well as share news about java-webauthn-server library updates and the newest version of Yubico’s WebAuthn Starter Kit.

Yubikey WebAuthn implementation: What’s what, why should you care and new updates from Yubico

Where it started

Universal 2nd Factor (U2F), is an open standard for authentication using hardware tokens, such as a YubiKey. This was initially launched back in 2014, under the FIDO Alliance. Yubico was a creator in developing this standard, and YubiKeys were among the first Universal 2nd Factor (U2F) Security Keys available. The standard mainly comprised two parts:

The FIDO U2F HID Protocol, used to communicate between the host computer (the “client”) and the Security Key (the “authenticator”) over USB or NFC. This was later renamed CTAP1, the Client To Authenticator Protocol.The FIDO U2F JavaScript API, used by websites to register and authenticate credentials.

Support for these protocols were added to a few different browsers, and the standard served to demonstrate and prove the concept, but some of the limitations were hindering widespread adoption.

What it became

While U2F was great for increased security and ease of use, there is always room for improvement. The successor to U2F is called FIDO2, and brings in support for a lot of new use cases, such as “passwordless login,” support for PIN and biometrics on-device, and several other extensions. This brought new APIs in the form of CTAP2 to support these new features in the Security Keys, and WebAuthn as a replacement for the FIDO U2F JavaScript API.

WebAuthn fully replaces the older JavaScript API, and is standardized by the W3C and implemented in all the major browsers. Support for the older U2F API has now been phased out, and no longer works in most browsers. This is where WebAuthn comes in- it is fully compatible with both CTAP1 (the U2F protocol) and CTAP2 (the FIDO2 protocol). It’s even possible to continue using old U2F credentials through the WebAuthn API via an extension, meaning users don’t necessarily have to re-register their Security Keys to keep using them. Since WebAuthn is the API most developers will interact with, “WebAuthn” has also become an umbrella term for not just the browser parts, but for the whole end-to-end implementation, from Security Key to server.

How to implement WebAuthn  

So far we’ve covered host-to-authenticator communication (CTAP) and web page-to-browser communication (WebAuthn), but we haven’t really looked at the server side yet. The FIDO2 specifications outline step-by-step what a server needs to do to validate a credential, but actual WebAuthn implementation is left as an exercise for the reader. There are several libraries available to help with this, including version 2.0 of Yubico’s java-webauthn-server library, which just launched. The library allows your existing JVM-based backend to add support for WebAuthn and takes care of:

Creating and reading the binary messages you need to send to the clientvalidating cryptographic signatures; and enforcing the rules imposed by the specification.

This new library also offers support for the FIDO Metadata Service 3 (FIDO MDS3), which  allows you to get metadata about the Security Key a user is using, including the vendor and product name, and so on. While this data isn’t required to implement WebAuthn on the server side, it can be used to enrich the user experience, and should it be needed, to disallow usage of Security Keys with known problems.

If Python is more your style, we’re also releasing version 1.0 of our python-fido2 library. We’ve just published the first Release Candidate (RC1) for 1.0, and plan to have the final version out in about a month’s time. Not only is python-fido2 a WebAuthn server library which is capable of doing a lot of the things that our Java library does, it is also a client library. This means that it also implements the CTAP protocols, allowing you to access FIDO2 functionality outside of a browser, by directly talking to a YubiKey over USB or NFC.

Looking for something a bit lower-level? Try our C library, libfido2, which also has several third party bindings for other languages. This is a client library (again, that means it handles CTAP) which also has some functionality for verifying signatures and attestation. It is used in among other projects, OpenSSH, to allow you to authenticate your SSH sessions with a YubiKey!

WebAuthn Implementation Starter Kit

Additionally, we’re excited to announce the launch of a new version of the WebAuthn Starter Kit, an open source project and reference architecture that aims to guide developers on their journey to enabling Passwordless and Adaptive Multi-Factor Authentication into their applications. This version takes a deeper look at how attestation and the FIDO Metadata Service are used to both prove the validity and identity of a Security Key to a Relying Party, while also providing details about the device itself.

We also discuss the concept of Platform Authenticators as Trusted Devices, which helps to shift the current paradigm of Trusted Devices from being something that is implemented using cookies, or local storage, to instead using a WebAuthn backed credential that is present on popular consumer devices. In this way, the use of Platform Authenticators can serve as a good complement to Security Keys.

The WebAuthn Starter Kit also covers best practices for handling the User Experience for WebAuthn enabled applications. It’s become clear that the different permutations of platforms, browsers, and credential devices can make the transition to WebAuthn overwhelming for users who are used to traditional authentication using username/password. Our implementation aims to deliver greater transparency, and ensure that users understand what action they need to take, when to take it, and when it’s being processed.

Widespread WebAuthn implementation, which can help curb account takeovers from phishing and other modern cyberthreats, will not be persistent unless trust is established with everyday users. It’s (past) time to move from U2F to WebAuthn. Not just because browsers will no longer support U2F, but because WebAuthn enables a bunch of new features as well! We hope some of our libraries can make implementing these standards a bit easier for you, and would love your feedback in making them even better going forward. Lastly, we hope these new releases not only enable further adoption of passwordless, but foster  a better understanding of the different parts that make up WebAuthn.


To learn more about all things new with WebAuthn and WebAuthn implementation, check out our on-demand webinar, “MFA with WebAuthn: Implementation Updates and the Road Ahead.” Additionally, sign up for our upcoming webinar, “How to enhance your Adaptive MFA strategy using Yubico’s Java WebAuthn Server,” here.

The post WebAuthn implementation: What’s what, why should you care and new updates from Yubico appeared first on Yubico.


VaultumCity is the best trusted place to select and buy your best Yubikeys, Vaultumcity free ship all yubikeys, Vaultumcity is reseller distributor of yubikeys so you can find cheapest best yubikey in Vaultumcity. If you are looking for best Yubikeys in Singapore at VaultumCity website online store.

The shop that sells yubikeys is https://vaultumcity.com/product-category/yubikey/

Our delivers are from Singapore, distribute globally. Buying Yubikey in Vaultum to have best customer and after sales services. All Yubikeys sold at Vaultumcity are quality guaranteed. Please place a large amount order to have great discount for reseller. Contact Vaultumcity at https://vaultumcity.com/contact/ whenever you have any issue with your yubikeys. Buying yubikeys at Vaultumcity to have best newest yubikeys free shipped to your door, FIDO2 U2F SECURITY KEY C NFC, FIDO2 U2F SECURITY KEY NFC, YubiKey 5 Nano, YUBIKEY 5 NFC, YubiKey 5C, YubiKey 5C nano, YubiKey 5C NFC, YUBIKEY 5Ci, YubiKey Bio – FIDO Edition. Yubikeys are best most secure tools for two-factor authentication. You can also buy yubikeys form Malaysia, Yubikey Malaysia is being sold at Vaultumcity with great price and free ship, you have it fastest, just in few days because we’re here in Singapore.

If you are looking for yubikeys in Indonesia, Vaultumcity is a great place to buy yubikey Indonesia, you can have yubikeys to protect your logins in just few days. Vaultumcity ship your yubikeys to your home in Thailand, to help ensure your data is safe and secured.

What about South Korea, Vaultumcity bring your yubikeys to your home in South Korea free-shipped.

Vaultumcity also delivers yubikeys to Japan, any province or city to your hands. Check out and grab your best suited yubikey today at VaultumCity.