FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Can I do a step up authentication with WebAuthn/passkeys?

    Scheduled Pinned Locked Moved Solved
    Q&A
    webauthn passkeys step-up
    1
    2
    52
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • danD
      dan
      last edited by

      Can I do a step up authentication with WebAuthn/passkeys? I want to build this into my app for protecting some sensitive data.

      --
      FusionAuth - Auth so modern you can download it.
      https://fusionauth.io

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @dan
        last edited by dan

        We have an open issue to make passkeys one of the supported MFA methods.

        But you can perform a step up passkey challenge using the APIs or the SDKs by doing the following:

        • User tries to access a restricted resource
        • Customer app sees if the user has already been granted access (via the presence of a cookie, or some other mechanism).
          • If they have, let them through.
        • If the user hasn’t been granted access, perform a webauthn assertion workflow
        • Call the /api/webauthn/start to get the workflow started
        • Interact with the authenticator to produce the signature and whatever other information is needed. This is authenticator-specific.
        • Call the /api/webauthn/assert to complete the workflow and prove possession of the authenticator
        • If the workflow is successful
          • Write a cookie or whatever if you want to remember this permission
          • Let the user through
        • If the workflow isn’t successful
          • Deny access

        If someone doesn't have a passkey enabled, which you can check by calling the /api/webauthn?userId={userId} API, direct them to the self-service account management passkey management pages.

        Here are the API docs for the webauthn API.

        --
        FusionAuth - Auth so modern you can download it.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • danD dan has marked this topic as solved
        • First post
          Last post