How does WebAuthn relate to the EUDI Wallet?

WebAuthn and the EUDI Wallet share core architectural principles: both generate asymmetric key pairs on the user device, protect private keys in hardware security modules (TEE/Secure Enclave), use biometrics for user verification, and implement phishing-resistant challenge-response authentication. The EUDI Wallet extends these principles beyond simple authentication to include credential issuance, selective disclosure, and verifiable attribute presentation. In practice, the EUDI Wallet may use WebAuthn/passkeys as part of its authentication flow when interacting with web-based credential issuers or verifiers, and verifiers may offer both WebAuthn login and EUDI Wallet credential presentation as complementary authentication options.

What are passkeys and how do they relate to WebAuthn?

Passkeys are the consumer-facing implementation of WebAuthn, promoted by Apple, Google, and Microsoft as a replacement for passwords. Passkeys are WebAuthn credentials that can be synced across a user devices via cloud services (iCloud Keychain, Google Password Manager), making them more convenient than device-bound WebAuthn keys. While passkeys provide excellent security for website authentication, they differ from EUDI Wallet credentials in that passkeys only prove device possession (that the user controls the registered device), while EUDI Wallet credentials prove verified attributes (that the user has specific identity attributes certified by a trusted issuer). Passkeys answer "is this the same person who registered?" while the EUDI Wallet answers "what verified attributes does this person have?"

Can WebAuthn replace the EUDI Wallet for authentication?

WebAuthn/passkeys and the EUDI Wallet serve different purposes and are complementary rather than competitive. WebAuthn provides excellent passwordless authentication (proving you are the same person who registered an account) but does not provide identity verification (proving who you are based on government-issued or certified credentials). The EUDI Wallet provides verifiable identity credentials that can be used for both authentication and identity verification. For services that need to verify specific attributes (age, nationality, professional qualifications), the EUDI Wallet is necessary. For services that only need to authenticate a returning user, WebAuthn/passkeys may be sufficient.

WebAuthn (Web Authentication API) - EUDI Wallet Glossary

WebAuthn

security

Full Name: Web Authentication API

Definition

WebAuthn (Web Authentication API) is a W3C standard that enables strong, phishing-resistant authentication for web applications using public key cryptography and platform authenticators. Part of the FIDO2 framework (together with the CTAP -- Client-to-Authenticator Protocol), WebAuthn allows users to authenticate to websites using biometric sensors (fingerprint readers, facial recognition cameras), roaming security keys (USB, NFC, or Bluetooth devices), or platform authenticators built into operating systems. The protocol works by generating a unique asymmetric key pair for each website during registration, with the private key stored securely on the user's device (in the TEE, Secure Enclave, or security key hardware) and the public key shared with the website. During authentication, the website sends a cryptographic challenge, and the authenticator proves possession of the private key by signing the challenge, with the user authorizing the operation through biometrics or a PIN. WebAuthn is architecturally aligned with the EUDI Wallet's security model -- both systems use device-bound keys, hardware-protected key storage, biometric user verification, and challenge-response protocols that are inherently resistant to phishing, credential theft, and replay attacks. The EUDI Wallet extends these principles from basic authentication (proving "I am the same person who registered") to verifiable credential presentation (proving "I have these specific verified attributes").

WebAuthn Architecture and Security Model

The WebAuthn security model is built on three foundational principles that make it significantly more secure than password-based authentication. First, origin binding ensures that each credential is cryptographically bound to the specific website origin (domain) for which it was created. The authenticator includes the website's origin in the signed challenge response, making it impossible for a phishing site (with a different domain) to use a credential created for the legitimate site. This is a fundamental improvement over passwords, which can be entered on any website regardless of whether it is legitimate.

Second, the asymmetric cryptography model means that no shared secret (like a password) exists between the user and the website. The website stores only the user's public key, which is useless for impersonation even if the website's database is breached. The private key never leaves the authenticator hardware, eliminating the possibility of credential theft through server-side database breaches, network interception, or social engineering. This is directly analogous to how the EUDI Wallet's device-bound keys protect credential presentations.

Third, user verification through biometrics or a local PIN ensures that physical possession of the device alone is not sufficient to authenticate. The authenticator requires the user to verify their identity locally before performing any cryptographic operation, providing a second factor (biometric or knowledge) that is verified locally without being transmitted over the network. This local verification model protects user biometric data from network-level attacks and server-side breaches, a principle that the EUDI Wallet also implements for credential presentation authorization.

WebAuthn and EUDI Wallet: Shared Principles, Different Scopes

WebAuthn and the EUDI Wallet represent two complementary approaches to digital identity, sharing core security principles but serving different functional scopes. WebAuthn focuses on authentication: proving that the current user is the same person who previously registered with a specific website. The credential is a simple key pair with no inherent identity information -- the website associates the public key with a user account during registration, and subsequent authentications merely prove the user possesses the corresponding private key.

The EUDI Wallet extends this model to verifiable identity: proving that the user possesses specific attributes that have been certified by a trusted authority. A wallet credential contains structured claims (name, date of birth, nationality, qualifications) signed by an authoritative issuer, along with device-binding mechanisms similar to WebAuthn. This means the EUDI Wallet can serve both authentication and identity verification purposes, while WebAuthn serves only authentication. For services that need to know who the user is (not just that they are a returning user), the EUDI Wallet provides capabilities that WebAuthn alone cannot.

In practice, WebAuthn and the EUDI Wallet are likely to coexist and complement each other. A service might use EUDI Wallet credential presentation for initial identity verification (onboarding, age verification, KYC) and then register a WebAuthn credential for subsequent passwordless authentication sessions. This combination uses the EUDI Wallet's rich identity verification for the first interaction and WebAuthn's lightweight, fast authentication for subsequent visits, providing both security and convenience.

Passkeys and the Evolution Toward EUDI Wallet

Passkeys, the consumer-friendly implementation of WebAuthn credentials promoted by Apple, Google, and Microsoft, represent a significant step toward mainstream adoption of public key-based authentication. By integrating WebAuthn credentials with platform-level credential management (iCloud Keychain, Google Password Manager, Windows Hello) and enabling cross-device synchronization, passkeys make passwordless authentication accessible to non-technical users. The rapid adoption of passkeys is creating familiarity with biometric-based, device-centric authentication that will ease the adoption of the EUDI Wallet.

However, passkeys have limitations that the EUDI Wallet addresses. Synced passkeys sacrifice the hardware binding guarantee (the private key leaves the device's secure element for cloud synchronization), which may not meet the security requirements for government-issued identity credentials. Passkeys do not carry verified attributes -- they only prove device possession, not identity. And passkeys are controlled by platform vendors (Apple, Google, Microsoft), creating concerns about vendor lock-in and platform dependency that the EUDI Wallet's standardized, regulated architecture avoids.

The EUDI Wallet can be seen as the next evolution beyond passkeys: maintaining the same user-friendly, biometric-first authentication experience but adding verified identity attributes, regulatory governance, hardware-bound security guarantees, and cross-border interoperability. Users familiar with the "use your fingerprint to log in" experience of passkeys will find the EUDI Wallet's interaction model immediately intuitive, while gaining the additional capability of proving specific identity attributes rather than just device possession.

What is WebAuthn?

WebAuthn: Web Authentication API

WebAuthn

Definition

WebAuthn Architecture and Security Model

WebAuthn and EUDI Wallet: Shared Principles, Different Scopes

Passkeys and the Evolution Toward EUDI Wallet

Related Terms

FIDO2

Frequently Asked Questions

Verwandte Leitfäden

→ Glossary Index

→ FIDO2

Quellen

⚠️ Independent Information