The science of security can be set on rm foundations via the formal verication of protocols. New protocols can have their design validated in a mechanized manner for security aws, allowing protocol designs to be scientically compared in a neutral manner. Given that these techniques have discovered critical aws in protocols such as TLS 1.2 and are now being used to redesign protocols such as TLS 1.3, we demonstrate how formal verication can be used to analyze new protocols such as the W3C Web Authen-tication API. We model W3C Web Authentication with the formal verication language ProVerif, showing that the protocol itself is secure. However, we also stretch the boundaries of formal verica-tion by trying to verify the privacy properties of W3C Web Authen-tication given in terms of the same origin policy. We use ProVerif to show that without further mandatory requirements in the speci-cation, the claimed privacy properties do not hold. Next steps on how formal verication can be further integrated into standards and the further development of the privacy properties of W3C Web Authentication is outlined.