WebAuthn — from credential.create() to synced passkeys.
How the web platform absorbed FIDO — from the W3C Credential Management API in 2016 to ubiquitous platform-synced passkeys in 2024 — and what each WebAuthn level added along the way.
W3C Credential Management API
The browser foundation for credential storage and retrieval. The WebAuthn standard will live on top of this API.
WebAuthn Working Draft
W3C Web Authentication WG publishes first public working drafts.
WebAuthn Level 1 Candidate Recommendation
Major browsers ship behind a flag. CTAP2.0 published in parallel. The "FIDO2" pairing is official.
WebAuthn Level 1 Recommendation
Stable W3C Recommendation. Chrome, Edge, Firefox, Safari ship platform support.
Conditional UI first proposals
Discussion of autofill-style passkey UX begins. The path to passkey ubiquity opens.
WebAuthn Level 2 published
Adds residentKey / requireResidentKey semantics, large-blob extension, algorithm agility. Foundation for passkeys.
Apple, Google, Microsoft announce passkeys
WWDC22 + Google I/O announce platform-synced FIDO credentials. iCloud Keychain and Google Password Manager become passkey vaults.
Cross-device authentication shipping
Hybrid CTAP transport (Bluetooth + tunnel server) lets a phone authenticate a desktop session.
Passkeys at consumer scale
1Password, Dashlane, Bitwarden ship passkey support. Major consumer sites (Google, eBay, Amazon, GitHub) accept passkeys as a primary factor.
WebAuthn Level 3 Working Draft
Signal API for orphan credentials, conditional-mediation v2, attestation-conveyance refinements.
Per-credential provenance policy
Relying parties begin to distinguish attested-hardware passkeys from synced passkeys at policy time. AmbiSecure validation server records AAGUID + transport + attestation per credential.
Continue exploring.
Building against this evolution?
If your roadmap touches any of these milestones, our engineering team can map the standards posture to a deployable architecture.