Can I do a step up authentication with WebAuthn/passkeys?
-
Can I do a step up authentication with WebAuthn/passkeys? I want to build this into my app for protecting some sensitive data.
-
We have an open issue to make passkeys one of the supported MFA methods.
But you can perform a step up passkey challenge using the APIs or the SDKs by doing the following:
- User tries to access a restricted resource
- Customer app sees if the user has already been granted access (via the presence of a cookie, or some other mechanism).
- If they have, let them through.
- If the user hasn’t been granted access, perform a webauthn assertion workflow
- Call the /api/webauthn/start to get the workflow started
- Interact with the authenticator to produce the signature and whatever other information is needed. This is authenticator-specific.
- Call the /api/webauthn/assert to complete the workflow and prove possession of the authenticator
- If the workflow is successful
- Write a cookie or whatever if you want to remember this permission
- Let the user through
- If the workflow isn’t successful
- Deny access
If someone doesn't have a passkey enabled, which you can check by calling the /api/webauthn?userId={userId} API, direct them to the self-service account management passkey management pages.
Here are the API docs for the webauthn API.
-
D dan has marked this topic as solved