Registration
Description
Before a user can authenticate with the FIDO2 protocol, FIDO2 credentials must be created and stored both on the user's device and on the FIDO2 Server. This ceremony is called Registration.
Prerequisites
- The user's device and browser must support FIDO2.
- The user already has existing credentials (a password, for instance) that can be used to authenticate, which is referred to as legacy authentication.
- Nevis is configured in such a way that only authenticated clients can register FIDO2 credentials.
- The user successfully executes a legacy authentication before starting the registration flow.
FIDO2 Client Javascript
FIDO2 registration requires client side Javascript, that communicates the protocol messages between Nevis and the browser. We provide such a Javascript code in this guide, although it should be adapted and embedded into a tailored web page.
High level flow
- The user performs an initial login using legacy authentication with existing credentials.
- The login is executed against the Nevis backend and the user is authenticated.
- The browser receives the FIDO2 Client JavaScript, then the user starts the FIDO2 registration.
- The FIDO2 Client JavaScript starts the FIDO2 registration ceremony by contacting the Nevis backend.
- The backend responds with information the FIDO2 Client JavaScript uses to call the WebAuthn API in the browser.
- The browser prompts the user, who uses a FIDO2 capable authenticator to register the credentials via the WebAuthn API.
- The FIDO2 Client JavaScript sends the result of the registration - containing the public key - to the backend.
- The backend stores the FIDO2 credential and replies back the result to the FIDO2 Client JavaScript.
- The FIDO2 Client JavaScript informs the user regarding the successful registration.
Relying Party
FIDO2 registration needs a relying party application that serves the FIDO2 Client Javascript to the user's browser (step 3 in the High level flow). Two options are covered in this guide, be sure to choose the architecture before the integration begins.
nevisAuth
Registration can be implemented in nevisAuth with the help of ScriptStates.
See Registration with nevisAuth.
The web application
Registration can be integrated into the customer web application where the FIDO2 credentials will be eventually used at.