Learn how passwordless authentication works and how it's built using WebAuthn.

Pointer's platform is  dedicated to providing insights and resources for software developers and technology enthusiasts, focusing on programming languages, frameworks, and development tools. Through articles, tutorials, and coding challenges, Pointer offers insights into building software solutions and advancing programming skills. Developers can learn about new programming languages, coding techniques, and best practices in software development.

Pointer

Passwordless is a form of authentication that doesn't require users to provide their username during login. WebAuthn is a complex standard with many moving parts, including the FIDO2 specifications. Since they aren't stored in the authenticator, the Relying Party has to send the key handles back. There can be no credential selection without talking to the RP.

How Passwordless Works

Building block #1: discoverable credentials

<ul>
<li>
Passwordless is a form of authentication that doesn’t require users to provide passwords during login. Instead, they use a physical device, such as a YubiKey or SoloKey, to unlock access to their account.
</li>
<li>
Passwordless authentication is based on the Web Authentication standard, which defines how challenges can be signed using a private key stored in an authenticator. The signed challenge is then verified by the server using the corresponding public key.
</li>
<li>
Discoverable credentials are a feature of WebAuthn that allows the user to select a credential from the authenticator without the need to provide any personal information to the server. This enables passwordless and usernameless authentication in a single stroke.
</li>
<li>
User verification is a feature of WebAuthn that allows the server to verify the user’s identity without the need for a password. This is done by the authenticator, which prompts the user for a PIN or fingerprint scan, for example.
</li>
<li>
Attestation is a feature of WebAuthn that allows the server to make assertions about the provenance of the authenticator. This is useful to determine if the authenticator is trustworthy.
</li>
<li>
The typical passwordless authentication flow starts with the client asking the server for a challenge. The challenge is then signed by the user’s authenticator and returned to the server. The server uses the signed challenge to verify the user’s identity and grant access to the account.
</li>
</ul>