Passwordless With Web Authentication
The Passwordless With WebAuthn feature lets users verify their identities without passwords. Our implementation requires users to enter their passwords once. On subsequent sign-ins, users can verify their identities through an authenticator.
An authenticator is a device such as a PC, mobile phone, or tablet that can:
- Set up a private/public key pair
- Confirm consent by a user, locally
How It Works
When you sign in to a WebAuthn-enabled app, WebAuthn challenges you to verify your identity through your device. Your device could be a PC, a mobile phone, or a tablet for example. Your device then uses an authenticator such as a fingerprint reader, facial recognition software, or a hardware key to verify your identity. Authenticators are certified through the FIDO Alliance.
Once the authenticator verifies your identity, WebAuthn creates an authentication token. WebAuthn creates a new token every time you sign in. The following diagrams depict the process flow upon user registration, and then on subsequent sign-ins.
The authentication flow varies slightly, depending on whether an authenticator has been configured. The first diagram depicts a flow that includes authenticator registration.
Now that Express has a public key credential for the user’s authenticator, subsequent sign-ins won’t require a password, as depicted here:
If you’re familiar with OpenID Connect (OIDC) specifications, the Web App is the Relying Party, and Express is the Authorization Server.
An API for accessing Public Key Credentials”](https://www.w3.org/TR/webauthn/) by the World Wide Web Consortium (W3C).