Second-Factor With Web Authentication

auth

Second-factor authentication requires users to confirm their identities through another method in addition to the usual username/password credentials. After supplying the usual username and password, the app sends the user a confirmation code through SMS or Email. The user must enter that confirmation code before the system signs them into the app.

The Second-factor authentication with web authentication feature uses an alternative to the confirmation code method. The alternative is to use an authenticator.

An authenticator is a device such as a PC, mobile phone, or tablet that can:

Set up a private/public key pair
Locally confirm consent by a user

How It Works

The following diagram depicts the sign-in flow, before an authenticator is registered:

Note: If the user chooses SMS/Email for a second factor, as depicted in step 4, the process defaults to a standard second-factor authentication process.

Now that Express has a public key credential for the authenticator, subsequent sign-ins use the authenticator as a second factor:

If you’re familiar with OpenID Connect (OIDC) specifications, the Web App is the Relying Party, and the ForgeRock Identity Cloud is the Authorization Server.

For more information, see this link for the NPM ForgeRock JavaScript SDK package.