English for WebAuthn and Passkeys

Learn the English vocabulary for WebAuthn and passkeys: relying party, authenticator, attestation, and platform vs. cross-platform credentials.

Passkey rollouts generate a lot of confused support and engineering conversations, partly because the underlying terms — relying party, authenticator, attestation — are unfamiliar even to engineers who understand passwords and OAuth well. Getting these names right makes it much easier to diagnose why a user “can’t log in with their passkey.”

Key Vocabulary

Relying party (RP) — the website or application that requests WebAuthn authentication, identified by its domain, which must match exactly for a passkey to be usable. “The passkey stopped working after we moved auth to a new subdomain — the relying party ID changed, and credentials registered under the old domain aren’t valid under the new one.”

Authenticator — the hardware or software component that actually generates and stores the cryptographic key pair, such as a phone’s secure enclave, a security key, or a password manager. “The user’s authenticator is their phone’s built-in one, so if they don’t have the phone nearby, they can’t complete a platform passkey login on that device.”

Attestation — a cryptographic statement from the authenticator, provided during registration, that can prove properties about the device (like its make and model), typically not required for passkeys aimed at general consumer login. “We turned off attestation requirements for the consumer login flow — enforcing it made sense for our enterprise SSO but was blocking passkeys from password managers for regular users.”

Platform vs. cross-platform authenticator — platform authenticators are built into the device (Face ID, Windows Hello); cross-platform authenticators are portable, like a USB security key or a synced passkey from a password manager, usable across devices. “We support both — Face ID for a quick platform login on the user’s own phone, and a cross-platform security key option for shared or enterprise-managed machines.”

Passkey syncing — the mechanism by which a passkey created on one device becomes available on the user’s other devices through their platform account (iCloud Keychain, Google Password Manager), without a new registration ceremony. “The user registered their passkey on their laptop, and it just appeared on their phone because both are signed into the same iCloud account — no re-registration needed.”

Common Phrases

  • “Is this a relying-party ID mismatch, or is the credential genuinely missing from the authenticator?”
  • “Do we actually need attestation for this flow, or is that requirement blocking valid passkeys unnecessarily?”
  • “Is the user trying a platform authenticator on a device without one, or is this a cross-platform key issue?”
  • “Will this passkey sync across the user’s devices, or was it registered as a non-syncing, device-bound credential?”
  • “Is the login failing at the browser API level, or is our relying-party configuration rejecting a valid response?”

Example Sentences

Diagnosing a support ticket: “The user says their passkey ‘disappeared’ — most likely they signed into a different platform account (a new phone, a different Google account) that isn’t synced to where the passkey was created.”

Explaining a security decision in a design review: “We’re not requiring attestation for this login flow, since we’re optimizing for passkey adoption across password managers, and attestation would exclude several popular ones.”

Describing a rollout plan: “We’re launching passkeys as an option alongside passwords first, not a replacement, since cross-device syncing behavior still confuses a meaningful share of users.”

Professional Tips

  • Say relying party explicitly when debugging domain-related passkey failures — “the login broke after the domain change” is much clearer once you name the RP ID mismatch.
  • Distinguish platform and cross-platform authenticators when writing support documentation — telling a user to “use your authenticator” without specifying which kind leads to confused replies.
  • Explain attestation requirements deliberately in security reviews — requiring it by default without justification quietly excludes many valid consumer authenticators.
  • Reference passkey syncing when a user reports credentials “moving” between devices — this is expected platform behavior, not a bug, and naming it prevents unnecessary escalations.

Practice Exercise

  1. Explain the difference between a platform and a cross-platform authenticator.
  2. Describe a situation where a relying-party ID mismatch would break passkey login.
  3. Write a sentence explaining why attestation isn’t usually required for consumer passkeys.