Passwordless Authentication Tutorial

In this scenario password has been removed. It means no password is sent over the internet or stored in a database.
The WebAuthn flow is exactly same as for Two-factor authentication case.

1. Registration

  • 1

    Enter user information

    Specific username or e-mail address to identify user.
    A human-palatable name for the user account, intended only for display.

2. Authentication

Since the password has been eliminated, you only have to authenticate your registered credential.

  • 1

    Enter username

    Username is required here in order to get the list of registered credential ID from server. Then the authenticator will select the appropriate credential and send back to server to authenticate.

    Registered username.

Parameters explanation

The parameters have been used when registering a credential:


<script>
    // possible values: none (default), direct, indirect
    let attestation = "none"; // means that the Replying Party (RP) is not interested in authenticator attestation

    let authenticatorSelection = {
        // possible values: <empty> (default), platform, cross-platform
        'authenticatorAttachment': "", // means that the RP does not specify authenticator type. User can choose what they want.
        // possible values: preferred, required, discouraged (default)
        'userVerification': "discouraged", // means that the Relying Party does not want user verification employed during the operation
        // possible values: true, false (default)
        'requireResidentKey': false // means that the authenticator does not have to create a client-side-resident public key credential source when creating a public key credential.
    };
</script>

RPs can specify their preference regarding attestation conveyance during credential generation. The Attestation parameter has 3 possible values:

  • none: RP is not interested in authenticator attestation.
  • indirect: RP prefers an attestation, but allows the client to decide how to obtain the attestation statements.
  • direct: RP wants to receive the attestation statement as generated by the authenticator.

In this demo, the default value is using. If your RP server needs more security, you should use "direct" to force client to return full attestation.
More on UserVerification in the Multi-factor authentication scenario.
And the use of RequireResidentKey will be explain in Usernameless authentication scenario.

The parameters have been used when authenticating registered credential:


<script>
    // possible values: preferred, required, discouraged (default)
    let userVerification = "discouraged"; // means that the Relying Party does not want user verification employed during the operation
</script>

In case RP does not specify these parameters, FIDO2 authentication server will set these as default values.