standards based protocols

Passwordless Login + WebAuthN

This authentication flow lets users verify their identities without passwords. The Express implementation requires users to enter their passwords once. On subsequent sign-ins, users can verify their identities through an authenticator.

An authenticator is a device such as a PC, mobile phone, or tablet that can:

  • Set up a private/public key pair
  • Confirm consent by a user, locally

How It Works

When you sign in to a WebAuthn-enabled app, WebAuthn challenges you to verify your identity through your device. Your device could be a PC, a mobile phone, or a tablet for example. Your device then uses an authenticator such as a fingerprint reader, facial recognition software, or a hardware key to verify your identity.

Once the authenticator verifies your identity, WebAuthn creates an authentication token. WebAuthn creates a new token every time you sign in. The following diagrams depict the process flow upon user registration, and then on subsequent sign-ins.

The authentication flow varies slightly, depending on whether an authenticator has been configured. The first diagram depicts a flow that includes authenticator registration.

alt text

Now that Express has a public key credential for the user’s authenticator, subsequent sign-ins won’t require a password, as depicted here:

alt text

In terms of the OpenID Connect (OIDC) specifications, the Web App is the Relying Party, and Express is the Authorization Server. See The OpenID Foundation Specifications.

For questions or feedback, contact us.