- A Relying Party: like github.com or google.com.
- A User Agent: a browser or smartphone.
- A Authenticator: security key manager.
- User Agent wants to register against Relying Party and request a registration with username, email..
- Relying Party issues a cryptographic challenge and ceremony parameters the User Agent.
- User Agent forwards the challenge and ceremony parameters to the Authenticator.
- Authenticator promps User Agent for credentials e.g. fingerprint, master password, etc.
- Authenticator generates a new key pair and signs the challenge with the generated private key.
- Authenticator returns the signed challenge, the public key to the User Agent.
- The User Agent forwards it to the Relying Party.
- Relying Party verifies authenticity of the user by checking the signed challenge against the user provided public key and original cryptographic challenge.
- If the verification succeeds, the Relying Party stores the username and public key in a persistent storage.
- The User Agent sends a login request with credentials (e.g. username) to the Relying Party.
- Relying Party issues a new cryptographic challenge to the User Agent using the user's public key.
- User forwards the challenge and the ID of the Relying Party to the Authenticator.
- Authenticator promps User Agent for credentials e.g. fingerprint, master password, etc.
- Authenticator uses stored key pair to sign this new challenge and sends it back to the User Agent.
- User Agent forwards this signed challenge to the Relying Party.
- Relying Party verifies User Agent by using the user's public key.
- If the verification succeeds, the user is logged in. The Relying Agent now can use any session protocol e.g. JWT for authorising the server for a specific amount of time (the shorter, the more secure).