Hello, I'm trying to understand how WebAuthn works, but I'm struggling a bit at the moment. This is how I understand it for now. Is this correct, or are there significant errors?
Device Registration:
a. The user wants to register a new device to authenticate with an online service.
b. The service sends a registration request to the user's browser.
c. The browser generates a pair of asymmetric keys on the user's device: a private key and a public key.
d. The public key is sent to the service, while the private key remains stored locally on the user's device.
e. The service associates the public key with the user's account identifier for future reference.
2. Authentication:
a. The user wants to log in to their account on the online service.
b. The service sends an authentication request to the user's browser.
c. The browser prompts the registered device to prove it possesses the associated private key.
d. The device uses the private key to sign a random message.
e. The signed message is returned to the browser.
f. The browser forwards the signed message to the service.
3. Validation:
a. The service receives the signed message from the browser.
b. The service extracts the user's associated public key from their account.
c. Using this public key, the service verifies the signature of the message.
d. If the verification succeeds, the service authenticates the user and allows them to access their account.
Device Registration:
a. The user wants to register a new device to authenticate with an online service.
b. The service sends a registration request to the user's browser.
c. The browser generates a pair of asymmetric keys on the user's device: a private key and a public key.
d. The public key is sent to the service, while the private key remains stored locally on the user's device.
e. The service associates the public key with the user's account identifier for future reference.
2. Authentication:
a. The user wants to log in to their account on the online service.
b. The service sends an authentication request to the user's browser.
c. The browser prompts the registered device to prove it possesses the associated private key.
d. The device uses the private key to sign a random message.
e. The signed message is returned to the browser.
f. The browser forwards the signed message to the service.
3. Validation:
a. The service receives the signed message from the browser.
b. The service extracts the user's associated public key from their account.
c. Using this public key, the service verifies the signature of the message.
d. If the verification succeeds, the service authenticates the user and allows them to access their account.