**1. Introduction**

Username and password is the *de facto* authentication method used in almost every web application, but it is threatened by several attacks. The most relevant one is phishing. During the last few years, some of the most relevant IT companies have started to develop new solutions which are not vulnerable to these attacks. In this context is where they form the FIDO Alliance to start developing a protocol to use hardware devices and public-key cryptography to perform authentication.

WebAuthn [1] is a new W3C authentication API for browsers to make use of hardware or software FIDO security keys [2] for replacing or complementing the username and password authentication method. Therefore, this new method can be applied in two different use cases: (1) using the security key as a second factor authentication method, usually after a password; (2) using the security key as a first factor authentication method, identifying and authenticating the user, without the need of a username or password. Moreover, web applications are not the unique systems where FIDO security keys can be of use. Operating Systems, like Windows and Linux, have solutions that make use of this new authentication method.
