Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Web integration

User authentication

search

User authentication

User authentication consists of signing a server challenge with a FIDO credential.

Prerequisites

Authenticating with FIDO requires that the user has successfully completed enrollment, so that the user has an assigned FIDO credential.

Sequence diagrams

User authentication

Front end

The application front end has to:

  1. Retrieve from the back end the FIDO challenge and options to authenticate (step 2).
    The format of this communication is specific to the application.

  2. Use the WebAuthn API to sign the FIDO challenge with the user credential, using the options prepared by our FIDO server (step 7)

    javascript const assertion = await navigator.credentials.get(assertionOptions);

See the WebAuthn specifications for details.

  1. Send the assertion result to the back end (step 10). The format of this communication is specific to the application.

Back end

The application back end has to:

  1. Receive the authentication request from the front end, and send the assertion options request to the FIDO server. The type of expected credential can be customized through the various request input parameters. See the API documentation for the assertion options endpoint. The FIDO response has to be transmitted back to the front end.

  2. Receive the assertion response from the front end, and submit the corresponding assertion response to the FIDO server. See the API documentation for the assertion verify endpoint. The FIDO server validates the response, and returns the validation status to the back end.

After the assertion is successfully validated, the back end can open an authenticated user session and authorize restricted operations.

User authentication options

Users can authenticate with FIDO using one of the two following options:

  • Users can explicitly identify themselves by providing their user identifier or name. The assertion options request then includes the list of registered credentials that can be used to authenticate the identified user.

  • Users can alternatively authenticate without entering their user identifier, thanks to the autofill feature, where the application requests the browser to present the list of previously registered credentials accessible from the browser, and prompts the user to pick one. This minimizes the user friction by reducing the interaction to a simple click, instead of typing a possibly complex identifier. It requires the web application to request assertion options without user information: userId is omitted in the assertion options request.

Note

Both modes can be supported simultaneously: Applications can initiate autofill, but if the browser does not find any credential to propose, or users decide to enter their user identifier, the autofill operation can be cancelled and an explicit flow can be started instead.

Some browsers do not yet support autofill, which means that applications have to check before using it. You can find instructions to include autofill in your authentication flow on this developer portal.

Completed

You now have understood how FIDO authentication can provide secure and convenient in-band authentication in web applications.

On this page