Important concepts

Overview

Use this page to get a high-level overview of the key concepts involved in the WebAuthn documentation. The reference goes over each term and describes how the WebAuthn flows work within SuperTokens.

Terminology

WebAuthn

Web Authentication, WebAuthn, is an open web standard that enables secure, passwordless authentication for web applications. WebAuthn allows users to log in using biometrics, security keys, or device-based credentials, replacing traditional username and password combinations. Under the hood, the standard relies on asymmetric (public-key) cryptography to confirm the identity of a user.

For a more detailed explanation of WebAuthn, you can refer to the actual specification.

Passkeys

A passkey is a type of credential that implements the WebAuthn standard. It uses cryptographic keys that users can share across multiple devices. This makes it convenient and recoverable in case of device loss.

Aside from the ease of use, passkeys are integrated into operating systems and browsers, and, support a wide range of devices.

Additional terms

Authentication flows

This section explains how each component communicates during different authentication flows.

Login

1The frontend SDK requests registration options from the backend.

The options are then returned based on the response from the SuperTokens core service.

2The authenticator uses the response to sign a challenge with your passkey.

3The result of the authenticator operation gets validated by the SuperTokens core service.

4The authentication UI updates, based on the result of the validation process.

Sign up

1The user enters their email address in frontend authentication UI

2The frontend SDK uses the email to request registration options from the backend.

The options are then returned based on the response from the SuperTokens core service.

3The authenticator uses the response to sign a challenge with your passkey.

4The result of the authenticator operation gets validated on by the SuperTokens core service.

5The authentication UI updates, based on the result of the validation process.

Account recovery

Account recovery should use an email. In it, the user receives a link that directs them to a page where they can register a new credential.

1The frontend initiates the recovery flow by communicating with the backend SDK

2The backend checks if the email exists and then sends a recovery email.

The email includes a security token obtained from the SuperTokens core.

3When the user accesses the recovery link, they get directed to the frontend application.

The security token gets validated by the backend SDK. If successful, the SDK begins the process of registering a new credential. From here, the flow matches the one described in the previous sections.