A platform authenticator is a biometric or PIN-based authentication mechanism built directly into your device. Examples include Apple's Touch ID / Face ID, Windows Hello, and Android fingerprint/face unlock. Unlike external USB security keys (roaming authenticators), platform authenticators are bound to a single device and cannot be moved.

No. Your actual fingerprint, face scan, or biometric data never leaves your device. The WebAuthn API only sends a cryptographic proof that you successfully verified your identity. The biometric matching happens entirely within your device's secure enclave (e.g., Apple's Secure Enclave, Android's TEE, or Windows TPM). Websites only receive a public key credential — not your biometric data.

WebAuthn is supported in all modern browsers: Chrome 67+, Firefox 60+, Safari 13+, Edge 18+. Platform authenticator support (fingerprint/Face ID) requires a compatible device — most modern smartphones, tablets, and laptops with biometric sensors are supported. The API requires a secure context (HTTPS or localhost) to function.

Discoverable credentials (also called resident keys) allow usernameless authentication. The credential is stored on the authenticator itself, so when you authenticate, the browser can discover which credentials are available without you needing to enter a username first. This enables a seamless "sign in with biometrics" experience — just tap your finger or look at your camera and you're logged in.

Biometric authentication via WebAuthn is significantly more secure than passwords. Key advantages: (1) Phishing-resistant — credentials are bound to the website's domain, so fake websites cannot steal them. (2) No shared secrets — only public keys are stored on servers, so data breaches don't expose credentials. (3) Hardware-backed — private keys are stored in secure hardware. (4) Unique per site — each website gets a different credential, preventing cross-site tracking.

If you lose your device, the platform authenticator credentials are protected by the device's security features (encryption, secure enclave). You should revoke the lost device's credentials from your account settings on each website. Most services offer recovery options like backup codes, email verification, or secondary authenticators. It's recommended to register multiple credentials (e.g., both your phone and laptop) for redundancy.

WebAuthn requires a secure context (HTTPS or localhost) to prevent man-in-the-middle attacks. The browser enforces this to ensure that the website you're authenticating with is genuinely the site it claims to be. Without HTTPS, an attacker could intercept the authentication ceremony. Localhost is exempt for development purposes.

Platform authenticator credentials are device-specific. You'll need to register each device separately. For cross-device usage, consider using a roaming authenticator (USB security key) or registering biometric credentials on each device you use. Many services allow multiple credentials per account, making it easy to authenticate from any of your registered devices.

None: No attestation data is provided — best for privacy, most common for consumer websites. Indirect: The authenticator's attestation is anonymized through a trusted third party. Direct: Full attestation data including authenticator model and manufacturer — useful for enterprise environments that need to verify specific hardware models. This demo uses "none" for maximum privacy.

You can remove saved credentials from this demo's list using the delete button, which clears the record from local storage. To fully remove a biometric credential from your device, go to your operating system's security settings (e.g., Windows Hello settings, macOS Touch ID settings, or your browser's security/privacy settings). Note that removing from this demo only removes the local reference — the actual credential on your authenticator remains until removed at the OS level.