WebAuthn is a new standard for strong authentication on the web, giving users an easy to use, phishing-resistant way to authenticate. This talk will look at how the standard enables key use cases of second factor authentication (2FA) and primary login with WebAuthn capable devices and explore practical considerations for deploying it. I’ll talk about lessons learned adding WebAuthn 2FA support to Dropbox and discuss policy and usability questions around using WebAuthn for primary login. To get to a world where WebAuthn replaces passwords, we’ll need to figure out how to handle varying device capabilities and account recovery. Even before resolving these questions, WebAuthn offers clear benefits that encourage deployment.