WebAuthn explained

Arthur777

New Member
Apr 2, 2024
22
0
1
Hello, I'm trying to understand how WebAuthn works, but I'm struggling a bit at the moment. This is how I understand it for now. Is this correct, or are there significant errors?

Device Registration:

a. The user wants to register a new device to authenticate with an online service.

b. The service sends a registration request to the user's browser.

c. The browser generates a pair of asymmetric keys on the user's device: a private key and a public key.

d. The public key is sent to the service, while the private key remains stored locally on the user's device.

e. The service associates the public key with the user's account identifier for future reference.


2. Authentication:

a. The user wants to log in to their account on the online service.

b. The service sends an authentication request to the user's browser.

c. The browser prompts the registered device to prove it possesses the associated private key.

d. The device uses the private key to sign a random message.

e. The signed message is returned to the browser.

f. The browser forwards the signed message to the service.


3. Validation:

a. The service receives the signed message from the browser.

b. The service extracts the user's associated public key from their account.

c. Using this public key, the service verifies the signature of the message.

d. If the verification succeeds, the service authenticates the user and allows them to access their account.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!