Passwordless login with passkeys about webauthn HOT 4 CLOSED

I recommend taking a look at the v2 preview https://webauthn-ciy.pages.dev/authentication/ to see the ways to log in.

Basically, while "usernameless" authentication is possible, I would not advise it. If you use credentials "discovery", the user will see passkeys with cryptic names, and if you want to trigger authentication directly using the list of allowed credentials, you still need a way to identify the user and poll the server for the credential IDs.

from webauthn.

That is correct.

Yes, you should keep a list of credentials for the user on the server side.

During authentication, you have two options:

• provide an empty credential IDs list => This will trigger "credential discovery" on the client device and the user can pick any available passkey
• provide the list of allowed credential IDs => The first one also present on the client device will be taken

Note that the exact behavior / UX depends on the platform (and to a lesser extend also the browser).

from webauthn.

Do I have to explicitly "use credential discovery", or that feature is up to the platform / authenticator? My understanding is that after I register the user I create a User in my database and add the credential to his 'devices' array, for example, then in order to authenticate him, I leave the credentials as an empty array on the client side, the authenticator will return a credential, I will send the credential to the server, find a user matching that credential, and the authentication process is complete. Is this a correct understanding?

from webauthn.

Thank you!

from webauthn.