Usernameless Authentication Tutorial

  1. What is Resident Key?
  2. Demo
    1. Registration
    2. Authentication
  3. Parameters explanation

What is Resident Key?

In the Passwordless Authentication tutorial, username is required to perform authentication process. But in reality, we can also remove username by using RequireResidentKey parameter when registering credential.

Resident Key (rk) a special type of the credential that can be acquired without prior knowledge of the credential ID.

As you can see in the Passwordless Authentication tutorial, when creating a new credential, we must pass userId generated by server. In case rk == true, this userId will be saved in the authenticator and return back as userHandle for authentication.

Note

At the time of writing (August 2019) this is not supported on all browsers, OSs and authenticators.

1. Registration

The only change in registration is the RequireResidentKey parameter.

Already have an RK account on this demo site? Jump to authentication!
  • 1

    Enter user information

    Specific username or e-mail address to identify user.
    A human-palatable name for the user account, intended only for display.

2. Authentication

In this scenario, no user information is required in authentication.

Have not registered Resident Key yet? Back to registration!
  • 1

Parameters explanation

The parameters have been used when registering a credential: 


<script>
    // possible values: none (default), direct, indirect
    let attestation = "none"; // means that the Replying Party (RP) is not interested in authenticator attestation

    let authenticatorSelection = {
        // possible values: <empty> (default), platform, cross-platform
        'authenticatorAttachment': "", // means that the RP does not specify authenticator type. User can choose what they want.
        // possible values: preferred, required, discouraged (default)
        'userVerification': "discouraged", // means that the Relying Party does not want user verification employed during the operation
        // possible values: true, false (default)
        'requireResidentKey': true // means that the authenticator have to create a client-side-resident public key credential source when creating a public key credential.
    };
</script>

RPs can specify their preference regarding attestation conveyance during credential generation. The Attestation parameter has 3 possible values:

  • none: RP is not interested in authenticator attestation.
  • indirect: RP prefers an attestation, but allows the client to decide how to obtain the attestation statements.
  • direct: RP wants to receive the attestation statement as generated by the authenticator.

In this demo, the default value is using. If your RP server needs more security, you should use "direct" to force client to return full attestation.
More on UserVerification in the Multi-factor authentication scenario.
The RequireResidentKey has been explained in What is Resident Key?. For the use of usernameless authentication, it must be true.

The parameters have been used when authenticating registered credential: 


<script>
    // possible values: preferred, required, discouraged (default)
    let userVerification = "discouraged"; // means that the Relying Party does not want user verification employed during the operation
</script>

In case RP does not specify these parameters, FIDO2 authentication server will set these as default values.