OWASP · YK-03 · Mar 5, 2026 · Mar 9, 2026
@@ -245,11 +245,11 @@ Error disclosure can also be used as a discrepancy factor, consult the [error ha
 
 There are a number of different types of automated attacks that attackers can use to try and compromise user accounts. The most common types are listed below:
 
-| Attack Type | Description |
-|-------------|-------------|
-| Brute Force | Testing multiple passwords from a dictionary or other source against a single account. |
-| Credential Stuffing | Testing username/password pairs obtained from the breach of another site. |
-| Password Spraying | Testing a single weak password against a large number of different accounts.|
+| Attack Type         | Description                                                                                      |
+|---------------------|--------------------------------------------------------------------------------------------------|
+| Brute Force         | Testing multiple passwords from a dictionary or other source against a single account.           |
+| Credential Stuffing | Testing username/password pairs obtained from the breach of another site.                        |
+| Password Spraying   | Testing a single weak password against a large number of different accounts.                     |
 
 Different protection mechanisms can be implemented to protect against these attacks. In many cases, these defenses do not provide complete protection, but when a number of them are implemented in a defense-in-depth approach, a reasonable level of protection can be achieved.
 
@@ -341,7 +341,11 @@ UAF takes advantage of existing security technologies present on devices for aut
 
 U2F augments password-based authentication using a hardware token (typically USB) that stores cryptographic authentication keys and uses them for signing. The user can use the same token as a second factor for multiple applications. U2F works with web applications. It provides **protection against phishing** by using the URL of the website to look up the stored authentication key.
 
-**FIDO2**: FIDO2 and WebAuthn, encompassing previous standards (UAF/U2F), form the foundation of modern **Passkeys** technology. Passkeys enable users to securely log in using local user verification (such as biometrics or device PINs) and often supporting cloud synchronization across devices. This technology is widely supported by major platforms. (Windows Hello/Mac Touch ID)
+**FIDO2**: FIDO2 and WebAuthn, encompassing previous standards (UAF/U2F), form the foundation of modern **Passkeys** technology. Passkeys enable users to securely log in using local user verification (such as biometrics or device PINs) and often supporting cloud synchronization across devices. This technology is widely supported by major platforms (Windows Hello/Mac Touch ID).
+
+Developers implementing passkeys should rely on well-maintained WebAuthn libraries or platform APIs instead of attempting to implement authentication logic manually. Using mature libraries helps ensure correct handling of cryptographic operations, token validation, and browser compatibility across platforms.
+
+See also: [Web Authentication API (WebAuthn)](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API).
 
 ## Password Managers