The Web Authentication API is an authentication specification that allows websites to authenticate users with built-in authenticators like Apple TouchID and Windows Hello or using security keys like Yubikey.
It utilizes public-key cryptography instead of passwords. When the user registers, a public-private key pair is generated for the account. The private key is stored securely in the user’s device, while the public key is sent to the server. The server can then ask the user’s device to sign a challenge using the private key to authenticate the user.
During registration, a website usually asks the user to enter a username and password. With WebAuthn, the website will generate a public-private key pair, send the public key to the server, and store the private key securely in the user’s device.
WebAuthn Registration Flow
During login, a website usually checks whether or not the user has provided the right username and password. With WebAuthn, the website will send a challenge and check if the browser can sign the challenge using the private key stored in the user’s device.
#web-development #webauthn #reactjs #javascript #authentication