Authenticating with a passkey
Different to a password that has to be sent over to the authenticating server, a passkey does not leave the user’s device to sign in the user. Instead, the passkey is used locally to create a unique cryptographic signature that proves to the server that it has been created with the passkey. The sequence for passkey authentication is, again, triggered by the user on the client (”Sign in with a passkey” button):
1. The client requests a random challenge from the server.
2. The client calls the WebAuthn API with credentials.get(challenge), which results in prompting the user for verification with a biometric or a PIN and using a stored passkey to sign the challenge. The signed challenge as well as the username and the credential ID of the used passkey are returned by the function.
3. To finalize passkey authentication, the client sends the signed challenge, the username, and the credential ID back to the server. The server now checks if the username and credential ID are known and, if so, picks up the public key to check the validity of the signed challenge. If the signed challenge can be successfully verified by the public key, the server can safely assume that the user was in possession of the passkey and create a session or hand out an authorization token.