Term Description
Assertion Verification of a signature against an existing credential
Attestation Creation and declaration of a new credential
Authenticator The device through which authentication occurs, typically a Platform authenticator (mobile device) or external security key
Authorization gesture A physical interaction with an authenticator, for example touch of a finger, or scan of a face.
Base64URL Modification of the main Base64 standard supporting use in URL addresses.
Biometric A physical characteristic such as fingerprint or facial appearance
CBOR Concise Binary Object Representation.
Challenge Random set of bits used to prevent replay attacks.
COSE CBOR Object Signing and Encryption. Find a list of numeric identifiers (such as -7, -257 etc) and algorithms here.
CTAP Client to Authenticator Protocol
Credential Contains a challenge, public key, and meta data about the credential.
Private key Matches to the corresponding public key
Public key Matches to the corresponding private key
Relying Party A website offering Web Authentication integration
Replay attack Also known as playback attack. A form of network attack in which data transmission is maliciously or fraudulently repeated or delayed. This is the reason challenges are required in Web Authentication.
Transports The method through which credentials are transported from the authenticator such as platform (built-in device), usb, ble (bluetooth) and nfc
Uint8Array A Javascript object representation
UV User verification - an action such as providing a fingerprint or looking into a camera for facial recognition

Also see the official spec for some additional terms & definitions.