0

Recently there is the possibility to verify a login with FaceID or TouchID. This is explained here https://developer.apple.com/videos/play/wwdc2020/10670/.

Currently I can't find complete sample codes, but https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/ is a good place to start.

Unfortunately, I don't quite understand yet from what the variable "challenge" results. Do I have to generate a new random 32 character long value for each challenge?

I also don't understand how the value of the variable credentialIdBuffer1 is calculated.

I think I am not the only one who has these questions and others might find their answers here.

I would be very grateful for your help. Best regards

Maisen1886
  • 110
  • 1
  • 10
  • 1
    The best place to start is https://webauthn.guide Then, more details are provided in this guide https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/ and finally once you understand all the concepts you should start experimenting on this page https://webauthn.me/debugger where you can visually see what each field holds. Then, pick a library of your choice to use on the server. Do not try to implement the specs yourself, it will take weeks and it will not work for many edge cases. – Xeos Dec 13 '20 at 23:25
  • If you use PHP (or if you want to look at a sample implementation), you will find this page and this library helpful: https://github.com/Spomky-Labs/u2f-php/blob/master/doc/PublicKeyCredentialRequest.md – Xeos Dec 13 '20 at 23:26
  • 1
    To answer your specific questions: the `challenge` is binary (random 1s and 0s), which are represented by letters (base64) for ease of use. The length of the challenge should be at least 16 bytes (~22 characters long in base64). `credentialIdBuffer1` is a unique ID which identifies an "authenticator" that was associated with the user account. Browser uses that ID to check if it knows of that authenticator and if it can access it right now. – Xeos Dec 13 '20 at 23:31
  • There is also this (more involved) article https://www.tspi.at/2020/07/01/webauthn.html which covers some aspects that many other guides miss. – Xeos Dec 13 '20 at 23:32

0 Answers0