W3C advances Web Authentication Level 3 for stronger browser-based sign-ins

The World Wide Web Consortium Web Authentication Working Group has published an updated Candidate Recommendation Snapshot of Web Authentication: An API for accessing Public Key Credentials Level 3 on 26 May 2026.

The specification defines an API that enables web applications to create and use public-key-based credentials to authenticate users. These credentials are scoped to a specific relying party, meaning they are bound to the website or service that created them and cannot be used across unrelated services.

WebAuthn is the technical basis for many passwordless authentication systems, including passkeys. Instead of relying on shared secrets such as passwords, the model uses cryptographic credentials stored by authenticators such as security keys, smartphones, or built-in device authentication systems.

The browser mediates access between websites and authenticators. This is intended to protect user privacy and ensure that authentication operations require user consent. The specification also describes how authenticators provide cryptographic proof of their properties through attestation.

The Level 3 draft includes work on credential creation and authentication flows, authenticator behaviour, extensions, privacy considerations, accessibility considerations, and test vectors for implementers.

As a Candidate Recommendation Snapshot, the document has received wide review and is intended to gather implementation experience before advancing further in the W3C standards process.

The specification will remain at Candidate Recommendation stage at least until 23 June 2026, with comments invited through GitHub issues.