WebAuthn Ceremonies

The WebAuthn spec defines two ceremonies performed between the user, authenticator, client and relying party: Registration and Authentication

Registration Ceremony

The registration ceremony consists of up of five steps:

1. When registration is requested, the Relying Party provides a challenge and other information to the Client.
2. The Client sends the information from step 1 along with extra client data to the Authenticator.
3. The Authenticator generates a public key, optionally performs user presence or verification, and produces an attestation statement based on the given challenge.
4. The public key and attestation statement sent back to the Client.
5. The Client sends the information to the Relying Party, which validates the attestation statement against the original challenge, and if successful, saves the public key to the user’s account.

Authentication Ceremony

The authentication ceremony consists of five steps:

1. When authentication is requested, the Relying Party provides a challenge to the Client.
2. The Client sends the information from step 1 along with extra client data to the Authenticator.
3. The Authenticator generates an assertion signature using the stored private key and optionally performs user presence or verification.
4. The assertion signature and extra authenticator data is sent back to the Client.
5. The Client sends the information to the Relying Party, which validates the assertion signature against the original challenge, and if successful, marks the user as authenticated.

Parent topic: Concepts