I'm trying to wrap my head around WebAuthn validation, but I'm pretty lost. I know I need to use a public key to decode a challenge, but I can't find any straightforward explanations on how to do this. I've even tried reading the official specs, but they don't clarify the process. What's the straight-up procedure for this? I'm aware that platforms like GitHub have implemented passkeys for login, so how do they manage it?
2 Answers
You're right that it's a bit of a tricky concept. Essentially, your server hands out a token, and the client is supposed to validate this against the securely stored version on their hardware. Once validated, the client sends this back to the server to confirm their identity. However, I haven't worked with the WebAuthn API in a while, so I'm a bit rusty on the specifics.
WebAuthn validation essentially revolves around verifying a signature that the authenticator generates using a private key. When your server sends a challenge (which is just some random data) to the client, the authenticator uses the associated private key to sign this challenge and sends it back. Your server then checks if this signature matches what it expects from the public key it has. This process ensures that the client is who they claim to be by proving they have the private key. It all ties back to the principles of asymmetric encryption, where the public key can verify signatures made by a private key without ever knowing the private key itself.
But that still sounds super vague. I mean, you're just describing the idea without going into the details of how to actually implement the challenge verification!
That's interesting, but how does the server actually validate the challenge? It seems like that's the missing link here!