Usernameless Authentication Tutorial
What is Resident Key?
In the Passwordless Authentication tutorial, username is required to perform authentication process. But in reality, we can also remove username by using RequireResidentKey parameter when registering credential.
Resident Key (rk) a special type of the credential that can be acquired without prior knowledge of the credential ID.
As you can see in the Passwordless Authentication tutorial, when creating a new credential, we must pass userId generated by server. In case rk == true, this userId will be saved in the authenticator and return back as userHandle for authentication.
Note
At the time of writing (August 2019) this is not supported on all browsers, OSs and authenticators.
1. Registration
The only change in registration is the RequireResidentKey parameter.
-
1
Enter user information
2. Authentication
In this scenario, no user information is required in authentication.
-
1
Parameters explanation
The parameters have been used when registering a credential:
<script>
// possible values: none (default), direct, indirect
let attestation = "none"; // means that the Replying Party (RP) is not interested in authenticator attestation
let authenticatorSelection = {
// possible values: <empty> (default), platform, cross-platform
'authenticatorAttachment': "", // means that the RP does not specify authenticator type. User can choose what they want.
// possible values: preferred, required, discouraged (default)
'userVerification': "discouraged", // means that the Relying Party does not want user verification employed during the operation
// possible values: true, false (default)
'requireResidentKey': true // means that the authenticator have to create a client-side-resident public key credential source when creating a public key credential.
};
</script>
RPs can specify their preference regarding attestation conveyance during credential generation. The Attestation parameter has 3 possible values:
- none: RP is not interested in authenticator attestation.
- indirect: RP prefers an attestation, but allows the client to decide how to obtain the attestation statements.
- direct: RP wants to receive the attestation statement as generated by the authenticator.
In this demo, the default value is using. If your RP server needs more security, you should use "direct" to force client to return full attestation.
More on UserVerification in the
Multi-factor authentication scenario.
The RequireResidentKey has been explained in
What is Resident Key?. For the use of usernameless authentication, it must be true.
The parameters have been used when authenticating registered credential:
<script>
// possible values: preferred, required, discouraged (default)
let userVerification = "discouraged"; // means that the Relying Party does not want user verification employed during the operation
</script>
In case RP does not specify these parameters, FIDO2 authentication server will set these as default values.