WebAuthn (Web Authentication API)

WebAuthn (Web Authentication API) est le standard W3C publié 2019 fournissant aux navigateurs une API JavaScript pour authentification cryptographique forte via clés publique/privée hardware-backed. Composante client-side du standard FIDO2 (WebAuthn + CTAP2).

APIs principales (JavaScript navigator.credentials) :
- **navigator.credentials.create()** — registration nouvelle credential (génère key pair).
- **navigator.credentials.get()** — authentication (sign challenge).

Deux user verification levels : (1) **discouraged** — touch suffit (presence only) ; (2) **preferred** — biometric/PIN si disponible ; (3) **required** — must verify (2FA built-in).

Resident keys (discoverable credentials) : credential stored avec username on authenticator — enables usernameless login (just touch your YubiKey or use Face ID, server identifies you). Foundation pour Passkeys UX.

Browser support 2024 : universal — Chrome, Firefox, Safari, Edge, Brave, Opera. Mobile : iOS Safari, Chrome Android.

Server-side libraries : (1) **SimpleWebAuthn** (Node.js) — most popular ; (2) **py_webauthn** (Python) ; (3) **WebAuthn.io** (Java) ; (4) **go-webauthn** (Go) ; (5) **Yubico java-webauthn-server** ; (6) **Spring Security WebAuthn**.

Integration steps :
(1) Server generates registration options (rp_id, challenge, exclude_credentials).
(2) Client : navigator.credentials.create(options) → user gesture → returns attestation.
(3) Server verifies attestation, stores credential public key + ID.
(4) Auth time : server generates auth options (challenge, allow_credentials), client navigator.credentials.get() → user verify → returns assertion → server verifies.

Use cases : (1) **passwordless authentication** primary ; (2) **MFA second factor** stronger than TOTP/SMS ; (3) **High-value transactions** re-auth ; (4) **Account recovery** ; (5) **Enterprise SSO** integration.

Différence Passkeys : Passkeys = subset WebAuthn discoverable credentials avec sync across devices (Apple iCloud, Google, 1Password). Sans sync = device-bound credentials (more secure, less convenient).

Deployments réussis : GitHub passkeys 2023, Google passkeys 2023+ (default for new accounts 2024), Apple ID, Microsoft accounts, Amazon (partial), Shopify, Stripe, Coinbase. Compétences SC-300, Security+, CISSP.