WebAuthn Biometric Authentication
HumanAttest uses the W3C WebAuthn standard to verify physical human presence using your device's built-in biometric sensor β Touch ID, Face ID, or a hardware security key. No passwords. No phishing. No remote bypass.
What is WebAuthn?
WebAuthn (Web Authentication) is a W3C standard that allows websites to authenticate users using public-key cryptography instead of passwords. It is the core of the FIDO2 specification and is natively supported in Chrome, Firefox, Safari, and Edge.
When you register with HumanAttest, your device generates a unique cryptographic key pair. The private key never leaves your device. The public key is stored on our server. Every verification challenge is signed locally β we never see your biometric data.
How HumanAttest Uses WebAuthn
Registration
You register once. Your device creates a key pair. The public key is stored on our server. Your fingerprint or face scan stays on your device β always.
Send Interception
When you click Send in Gmail, the extension pauses the action and requests a WebAuthn assertion from your device.
Local Signing
Your device prompts for biometric confirmation (Touch ID / Face ID / PIN). The challenge is signed locally using your private key.
Server Verification
Our server verifies the signature using your stored public key. If valid, the send action is released and a SHA-256 hash is logged.
Security Guarantees
Phishing-Resistant
Private keys are bound to the origin domain. A fake site cannot steal your credentials.
No Remote Bypass
Biometric verification requires physical device presence. Session hijackers cannot pass this check.
Zero Biometric Transmission
Your fingerprint or face scan is processed entirely on-device by the OS. We never receive it.
Replay-Proof
Each challenge is unique and time-bound. Captured responses cannot be reused.
Supported Authenticators