Passkey (FIDO2) authentication mechanism

Passkey authentication consists of two main steps: (1) Authenticator Registration and (2) Authentication (Login). This section briefly explains the flow of each process.

(1) Authenticator Registration Flow

This is the process flow for when a user registers their login credential (passkey) with the service for the first time.

Registration authenticator Registration authenticator

  • Flow Overview:

  1. The user initiates passkey registration on your service.

  2. Your service requests registration data from our service via the SDK.

  3. The user performs user verification (e.g., fingerprint or face scan) on their device, such as a smartphone, using the received data.

  4. A private key and public key pair is created within the authenticator.

  5. The private key is stored securely inside the authenticator and never leaves it.

  6. Only the public key is registered with our service and is used for verification during future logins.

(2) Authentication (Login) Flow

This is the process flow for when a registered user logs into the service.

Registration authenticator Registration authenticator

  • Flow Overview:

  1. The user attempts to log in to your service.

  2. Your service requests authentication data (a challenge) from our service via the SDK.

  3. Based on the received data, the user performs user verification with their authenticator.

  4. The authenticator uses its stored private key to create a “digital signature” proving the user’s identity.

  5. Our service uses the registered public key to verify that the signature is valid.

  6. If the verification is successful, the login is granted.