standards based protocols

2FA + WebAutN

Basic two-factor authentication requires a user to provide two forms of identity to gain access to a protected resource or data. After supplying the username and password, the app sends the user a confirmation code through SMS or Email. The user must enter that confirmation code before the system signs them into the app.

The two-factor authentication with WebAuthN workflow uses an alternative to the confirmation code method. The alternative is to use an authenticator.

An authenticator is a device such as a PC, mobile phone, or tablet that can:

  • Set up a private/public key pair
  • Locally confirm consent by a user

How It Works

The following diagram depicts the sign-in flow, before an authenticator is registered:

alt text

Now that Express has a public key credential for the authenticator, subsequent sign-ins use the authenticator as a second factor:

alt text

In terms of the OpenID Connect (OIDC) specifications, the Web App is the Relying Party, and the ForgeRock Identity Cloud is the Authorization Server. See The OpenID Foundation Specifications.

For questions or feedback, contact us.