WebAuthn / passkeys

DEFINITION

WebAuthn is a W3C standard; passkey is its user-friendly brand name (jointly used by Apple, Google, Microsoft). At registration, the user's device (phone, laptop, Yubikey) locally generates an asymmetric keypair: the private key stays on the device (or in the platform secure enclave, or in a cloud-synced keychain) and never leaves. Only the public key plus an attestation goes to the server. At login, the server sends a challenge, the device unlocks the private key via biometrics or PIN, signs the challenge, and sends the signature back. Only the public key and the signature cross the network, no password. Phishing-resistant (the domain is bound into the credential id), no shared secret to leak, and it replaces SMS OTP. Production-ready since iOS 17 and Android 14.

RELATED TERMS06

Threat model→
A structured exercise that walks the system's actors, attack surface, risks, and controls. Day one of every DField project · before any code.
Penetration test (pentest)→
Manual + tooled attack simulation that reveals what an attacker could achieve. We deliver findings as PRs in your repo, not an 80-page PDF.
DevSecOps→
Security as a continuously-running CI step (SAST, DAST, SCA, IaC scan), not an annual project. Runs against every push; every sprint closes at least one security bug.
MFA (Multi-factor auth)→
Two or more factors (TOTP, WebAuthn, biometric) beyond a password. Table-stakes in SaaS today · enterprise procurement disqualifies you without it.
SOC 2→
A US audit framework for confidentiality, integrity, availability, and privacy controls. For SaaS, the Type II audit (6–12 months of observation) is the standard enterprise baseline.
ISO 27001→
International standard for Information Security Management Systems (ISMS). Often preferred in Europe instead of or alongside SOC 2. 3-year certification cycle.

MENTIONED IN THE BLOG08