The World Wide Web Consortium moves forward on Web Authentication Level 3, strengthening passwordless login on the web

The World Wide Web Consortium (W3C), the international body that develops standards for the web, has released a new version of its Web Authentication specification. Officially titled Web Authentication: An API for accessing Public Key Credentials Level 3, the document is now a Candidate Recommendation, meaning it is largely complete and ready to be tested by browser makers and developers.

What is Web Authentication

Web Authentication, often referred to as WebAuthn, is a technical standard that allows websites to verify who a user is without relying on passwords. Instead of typing a password, users can log in using methods such as a fingerprint scan, face recognition, a PIN stored on their device, or a physical security key.

Behind the scenes, WebAuthn uses public key cryptography, a well-established security technique. When a user registers with a website, their device creates a pair of cryptographic keys. One key stays securely on the user’s device, while the other is shared with the website. During login, the website verifies cryptographic proof rather than requiring a password.

What it is used for

WebAuthn is used to enable strong authentication on websites and online services. It is already supported by major browsers and operating systems and is used by many platforms to offer passwordless or multi-factor authentication.

Common use cases include logging into email accounts, government services, banking platforms, and workplace systems. Because the authentication is tied to a specific website and device, it helps prevent common attacks such as phishing, credential stuffing, and password reuse.

What is new in Level 3

Level 3 of Web Authentication builds on earlier versions by refining how credentials are created, managed, and verified. It further clarifies how devices, known as authenticators, prove their security properties to websites through a process called attestation.

The specification also strengthens privacy protections. Web browsers act as intermediaries between websites and authenticators, ensuring that websites cannot access more information than necessary. Importantly, authenticators must always require user consent before performing any authentication action.

Why this matters

Passwords remain one of the weakest points of online security. They are often reused, easily guessed, or stolen through phishing and data breaches. WebAuthn addresses these problems by removing passwords from the login process entirely or by making them optional.

For users, this can mean simpler and faster logins without having to remember complex passwords. For organisations, it reduces the risk of account takeovers and the costs associated with password resets and security incidents.

From a broader perspective, WebAuthn is an important step toward a more secure and trustworthy web. Standardising passwordless authentication at a global level allows websites, browsers, and devices to work together in a consistent and interoperable way, rather than relying on proprietary solutions.

What happens next

As a Candidate Recommendation, Web Authentication Level 3 is now open for implementation feedback. The W3C is inviting browser vendors, developers, and other stakeholders to test the specification and report any issues. Comments can be submitted until 10 February 2026.

If widely implemented, the standard will further solidify passwordless authentication as a core building block of the web.