Technology Encyclopedia Home >How to use FIDO and WebAuthn to achieve passwordless authentication?

How to use FIDO and WebAuthn to achieve passwordless authentication?

Created on 2025-09-24 18:23:03
32

To achieve passwordless authentication using FIDO (Fast Identity Online) and WebAuthn (Web Authentication API), you leverage public-key cryptography and biometric or hardware-based credentials to verify user identity without passwords. Here’s how it works and an example:

How FIDO & WebAuthn Enable Passwordless Authentication

  1. Registration Phase

    • The user initiates registration on a website or app.
    • The browser (via WebAuthn) communicates with a FIDO2-compliant authenticator (e.g., a security key, biometric device like Windows Hello, or a mobile device’s Trusted Platform Module).
    • The authenticator generates a public-private key pair. The private key stays on the device; the public key is sent to the server.
    • A credential ID and metadata (like user handle) are stored on the server for future authentication.

  2. Authentication Phase

    • When logging in, the server sends a challenge (random data) to the client.
    • The browser prompts the user to authenticate via the registered authenticator (e.g., fingerprint scan, facial recognition, or security key tap).
    • The authenticator signs the challenge with the private key.
    • The signed response and credential ID are sent back to the server.
    • The server verifies the signature using the stored public key, confirming the user’s identity.

Example Workflow

  1. User registers on a banking app:

    • The app requests FIDO2 authentication.
    • The user taps their YubiKey (a FIDO2 security key) or uses Windows Hello.
    • The browser generates a key pair; the public key is stored on the bank’s server.

  2. User logs in later:

    • The bank’s app sends a login challenge.
    • The user taps their YubiKey again.
    • The authenticator signs the challenge, proving possession of the private key.
    • The bank verifies the signature and grants access.

Why FIDO/WebAuthn?

  • Phishing-resistant: Private keys never leave the device.
  • No passwords: Eliminates password theft or reuse risks.
  • Interoperable: Works across browsers (Chrome, Edge, Safari) and devices.

Recommended Cloud Service (Tencent Cloud)

For deploying FIDO/WebAuthn securely, Tencent Cloud offers:

  • KMS (Key Management Service): Securely manage cryptographic keys if needed.
  • Serverless Cloud Functions: Host authentication logic without managing servers.
  • Web Application Firewall (WAF): Protect against phishing attacks.

By integrating WebAuthn with Tencent Cloud’s infrastructure, you can build a scalable, secure passwordless system.