The Web Authentication API (WebAuthn) allows for the creation of a public-key based credentials for authenticating users. A server is able to invoke the API through a client application in order to perform two ceremonies: registration and authentication.
Registration allows a client application to work with a supporting authenticator to create a credential (passkey). This credential is sent to the backend application where it can be used to verify challenges signed by its corresponding private key during authentication ceremonies.
Registration requests are invoked using the navigator.credentials.create()
method.
Authentication allows a client application to work with a supporting authenticator to sign a challenge, issued by the backend application. This verification is completed using the device’s private key. The signed challenge is returned to the backend application, where the public key captured during registration validates the challenge.
Authentication requests are invoked using the navigator.credentials.get()
method.
Both the get()
and create()
API are supported by all of the major browsers, allowing web applications to seamlessly provide support across ecosystems.