PassKeys Logo

The Process of Login

This entry is part 5 of 8 in the series Implementing PassKeys in iOS

Logging into a server, using an existing PassKey, is a lot simpler than creating a new account and PassKey.

Prerequisite

You can only login, using a PassKey, if one has already been established, through the creation process.

It is assumed that the server has properly stored at least the Public Key, and the Credential ID for the PassKey. These were provided by the client, during creation.

It is also assumed that the client has the original PassKey that is reflected in the server. Assuming we used the Authentication Services SDK to produce the key, as defined by the previous pages, then we’re sorted.

The Process

Figure 1: The Login PassKey Workflow

Step One: The Client Requests a Challenge From the Server

When the client app has its “Login” button selected, it requests a challenge from the server. This is very simple; just a random string of bytes.

Step Two: The Server Responds With the Challenge Data

The server generates the string, and sends it to the client.

Step Three: The Client Authenticates, signs the WebAuthn credentials, and Sends Them to the Server

At this point, the client uses the Authentication Services SDK to sign a credential data package (including the challenge, sent from the server). It first presents GUI to the user, asking for authorization.

It then sends this signed data packet to the server,

Step Four: The Server Validates the Client Credentials, and Logs In the Client

The server validates the signed data packet, using its stored Public Key, and also verifies the challenge. If all is good, it logs in the user, and returns a success indication (in our case, a bearer token).

Now that we know the basic process, let’s walk through the code that implements it.