Scenario: Usernameless

In this scenario we have removed the need for both usernames and passwords. The WebAuthn flow is very similiar to the paswordless flow, but when registering we require the resident key option. User account selection is handled by the client/authenticator. If multiple credentials are found, the user will be able to choose which credential to use.

Note: When we say passwordless, what we mean is that no password is sent over the internet or stored in a database. Password, PINs or Biometrics might be used by the authenticator on the client

Please note: At the time of writing (July 2019) this is not supported on all browsers. Confirmed to work on: Windows Edge, Edge (OS X, pre-release), Firefox 69 (Windows), Chrome 76.0.3809.72 beta (OS X)

Register user

Sign in

Explanation: Username and paswordless login with FIDO2

In this scenario, WebAuthn is used without a username to securely authenticate the user. This requires the Authenticator to support Resident Keys. The flow is visualized in the figure below.

figure visualizing username and challenge sent together with assertion

In this flow the Relying Party should tell the Authenticator to do User Verification (set UserVerification to required) via Biometrics/pin, thus the authentication is MFA (Something the user has - the private key - and something the user knows/is - the PIN or biometrics). However in scenarios where security requirements are very low we we could discourage user verification to minimize the user interaction needed to sign in. If discouraged, only user presence will be checked (Any human is present at the device).

Read the source code for this demo here: usernameless.register.js and usernameless.login.js