Passwordless With Web Authentication

The Passwordless With WebAuthn feature lets users verify their identities without passwords. Our implementation requires users to enter their passwords once. On subsequent sign-ins, users can verify their identities through an authenticator.

An authenticator is a device such as a PC, mobile phone, or tablet that can:

  • Set up a private/public key pair
  • Confirm consent by a user, locally

How It Works

When you sign in to a WebAuthn-enabled app, WebAuthn challenges you to verify your identity through your device. Your device could be a PC, a mobile phone, or a tablet for example. Your device then uses an authenticator such as a fingerprint reader, facial recognition software, or a hardware key to verify your identity. Authenticators are certified through the FIDO Alliance.

Once the authenticator verifies your identity, WebAuthn creates an authentication token. WebAuthn creates a new token every time you sign in. The following diagrams depict the process flow upon user registration, and then on subsequent sign-ins.

The authentication flow varies slightly, depending on whether an authenticator has been configured. The first diagram depicts a flow that includes authenticator registration.

alt text

Now that Express has a public key credential for the user’s authenticator, subsequent sign-ins won’t require a password, as depicted here:

alt text

If you’re familiar with OpenID Connect (OIDC) specifications, the Web App is the Relying Party, and Express is the Authorization Server.

An API for accessing Public Key Credentials”]( by the World Wide Web Consortium (W3C).

For more information, see this link for the NPM ForgeRock JavaScript SDK package.

If you have questions email [email protected].