How it Works


Authentication is one of two ceremonies defined in the WebAuthn specification. The authentication ceremony is used to authenticate a user with a previously registered passkey.

The process

The basic process for the WebAuthn authentication ceremony is that the Relying Party supplies passkey request options along with a one-time challenge that is passed to the WebAuthn API on the client. The WebAuthn API will query available authenticators for a suitable passkey that can complete the authentication ceremony. The Relying Party has the option to provide a list of credential identifiers for passkeys that it will allow or the request can be made without this list to query for discoverable passkeys.

AuthenticatorClientServer"I want to sign in"1"Ok. Sign this data,so I know it's you"2"Use the private key for myaccount to sign this data"3Sign data withprivate key4"Here's the signed data"5"Here's that signed data as proofthat it's really me"6Validate signature7"You're all set!"8AuthenticatorClientServer

The options

The Relying Party provides PublicKeyCredentialRequestOptions during an authentication ceremony. A few of the most important options are:

The WebAuthn specification has more information on options for credential requests.

The validation

The authenticator response is returned to the client via the WebAuthn API and then passed along to the Relying Party server for validation. The Relying Party should validate the response to ensure that requested options were honored and that the signature can be validated with the stored public key. A few of the more important fields to validate are:

If the response is successfully validated, the Relying Party should consider the ceremony a success and continue the authentication workflow.