WebAuthn

WebAuthn Compatibility

WebAuthn support is not uniform across browsers. For services implementing WebAuthn, it is vital to note which operating systems and browsers are supported, and have the appropriate error handling in the event of an unsupported browser.

The information provided is based on general availability (GA) operating system and browser releases and YubiKeys that support the FIDO standards.

Since the arrival of the FIDO2 standard in 2018, there has been a steady shift away from web browsers providing support for WebAuthn credentials, and towards APIs that are made available by the operating system. There is now a mix of support provided by operating systems and by browsers, collectively referred to as platforms.

Operating systems, browsers and platforms

While there are a large number of browser and operating system combinations, because of the differences in ways that support for FIDO is delivered on different platforms, some of those combinations may use the same underlying mechanism to provide FIDO credential support.

Use this chart to determine which FIDO platform is in use for each browser and platform combination.

	Windows 10	Windows 11	MacOS	iOS / iPadOS	Android	Linux
Chrome & Edge (Chromium-based browsers	Windows 10	Windows 11	Chrome on MacOS & Linux	Safari	Google Play Services	Chrome on MacOS and Linux
Safari	N/A	N/A	Safari	Safari	N/A	N/A
Firefox	Windows 10	Windows 11	Safari	Safari	Google Play Services	Firefox on Linux

On Windows 10 and Windows 11, the FIDO support is provided by a Windows API, and all applications including web browsers must use that support unless they’re run with administrative privileges.

On iOS and iPadOS, the FIDO support is provided by an Apple API, and all web browsers must utilize that support.

On macOS, a FIDO API is provided, but its use is not mandatory: * Safari uses the built-in Apple API * Firefox uses the built-in API by default, but that is configurable * Chrome does not use the built-in API for hardware security keys

On Android (version 9 or higher), FIDO support may be provided by Google Play Services (version 24 or higher) on devices that have it installed.

On Linux-based operating systems, there is no system wide API available, so each browser must provide its own FIDO support.

Common use cases

When using FIDO on a YubiKey with a web browser to log in to a website or identity provider, there are three distinct flows:

The first, which is most similar to the original U2F standard, is FIDO as a second factor. This relies on traditional username and password authentication, and then using a YubiKey or similar FIDO device as an MFA factor. This flow is typically used with web sites that have security key support, and requires that the browser support User Presence
The second, passwordless, was introduced with FIDO2. It relies on getting the username either by prompting the user or using persistent cookies, and then prompting the user to use their YubiKey with a PIN (or Fingerprint on the YubiKey Bio series). This flow requires support for User Verification (PIN / Biometric) in the platform and the YubiKey.
The third, usernameless, was also introduced with FIDO2, and has been popularized as passkey logon, where the user only needs to activate their FIDO device using a PIN or biometric, and they can be securely logged into a service. It requires support for Discoverable Credentials, previously known as Resident Keys.

Additionally, there are two more common use cases:

Initial PIN setup happens the first time a user encounters a situation that requires use of a PIN. PIN setup must be successful to continue, but it can be done beforehand on a supported operating system or browser.
Initial fingerprint setup refers to the first time a user enrolls a fingerprint on a YubiKey Bio Series device. This is optional on YubiKey Bio Series devices, and can be done at any time. You do not need to use the same browser or device to enroll fingerprints.

Passwordless, usernameless, and initial PIN setup are not supported on U2F-only devices such as the YubiKey 4 Series and the YubiKey NEO.

Use case support

	Windows 10	Windows 11	Chrome on macOS and Linux	Safari	Google Play Services (Android)	Firefox on Linux
Usernameless	✅USB ✅NFC	✅USB ✅NFC	✅USB	✅USB ✅NFC ✅Lightning	✅USB ❌NFC	✅USB
Passwordless	✅USB ✅NFC	✅USB ✅NFC	✅USB	✅USB ✅NFC ✅Lightning	✅USB ❌NFC	✅USB
Second Factor	✅USB ✅NFC	✅USB ✅NFC	✅USB	✅USB ✅NFC ✅Lightning	✅USB ✅NFC	✅USB
Initial PIN Setup	✅USB ✅NFC	✅USB ✅NFC	✅USB	✅USB ✅NFC ✅Lightning	✅USB ❌NFC	❌
Initial Fingerprint Setup	✅USB [Windows 10 allows for the enrollment of new fingerprints, but will not prompt for it automatically.]	✅USB [Windows 11 allows for the enrollment of new fingerprints, but will not prompt for it automatically.]	✅USB [Chrome on macOS and Linux will prompt for biometric enrollment any time the user registers the YubiKey on a new site if fingerprints aren’t already enrolled.]	❌	❌	❌

Feature support

	Windows 10	Windows 11	Chrome on macOS and Linux	Safari	Google Play Services (Android)	Firefox on Linux
AlwaysUV	✅USB ✅NFC	✅USB ✅NFC	✅USB	❌	✅USB [Firefox for Android lacks full support for the AlwaysUV feature.] ❌NFC	✅USB
Force PIN Change	❌	✅USB ✅NFC	✅USB	❌	❌	❌

Key:

	Description
✅USB	Feature is supported over USB only.
✅USB ✅NFC	Feature is supported over USB or NFC, if a supported NFC reader is attached.
✅USB ✅NFC ✅Lightning	Feature is supported over USB, NFC or Lightning, if available on the device.
✅USB ❌NFC	Feature is supported over USB, but not NFC, even if an NFC reader is present.
❌	Feature is not supported over any transport.