作者 Oghenetega Denedo✏️
记住和存储密码对于我们的用户来说可能是一件很麻烦的事情 - 想象一下,如果登录对每个人来说都更容易的话。这就是 WebAuthn(或 Web 身份验证 API)的用武之地。WebAuthn 旨在提供一个没有密码的未来。
在本文中,我们将介绍 WebAuthn 的工作原理,详细介绍它如何使用公钥加密技术来保证安全。我们还将指导您将 WebAuthn 集成到一个简单的 Web 应用程序中,以了解如何实际使用该 API。
与任何解决方案一样,WebAuthn 有其好的一面和不太好的一面。我们将回顾其优点和缺点,以便您确定它是否最适合您的身份验证需求。欢迎与我们一起尝试告别令人头疼的密码问题,并探索 WebAuthn 无缝登录体验的前景。
学习 WebAuthn 之前需要了解的事项
在我们逐步使用 WebAuthn 实现无密码登录之前,您必须满足以下先决条件:
- Node.js 安装在您的计算机上
- 与 WebAuthn 兼容用于测试目的的 Android 或 iOS 设备
- 基本熟悉 Node.js 和 Express.js
- 用于存储用户凭证和密码的 MongoDB 数据库
如果您已经熟悉 WebAuthn 是什么及其工作原理,请随时跳到实现部分。如果您觉得需要复习一下,那么以下内容应该有助于奠定基础。
什么是 WebAuthn?
WebAuthn 是一个 Web 标准,出于 Web 应用程序中安全和无密码身份验证的需要而发起,以解决使用密码的主要缺点。
该项目由万维网联盟 (W3C) 与 FIDO(快速身份在线)合作发布,旨在创建一个跨设备和操作系统的标准化界面,用于对用户进行身份验证。
在实践层面上,WebAuthn 由三个基本组件组成:依赖方、WebAuthn 客户端和身份验证器。
依赖方是请求用户身份验证的在线服务或应用程序。
WebAuthn 客户端充当用户和依赖方之间的中介 - 它嵌入在任何支持 WebAuthn 的兼容 Web 浏览器或移动应用程序中。
身份验证器是用于验证用户身份的设备或方法,例如指纹扫描仪、面部识别系统或硬件安全密钥。
WebAuthn 是如何工作的?
在支持 WebAuthn 的网站上注册帐户时,您将开始一个注册过程,其中涉及使用身份验证器,例如手机上的指纹扫描仪。这会生成存储在依赖方数据库中的公钥和通过安全硬件层安全存储在您的设备上的私钥。
由于网站在尝试登录时不会请求密码。真正发生的是,在启动登录后,挑战会发送到您的设备。此质询通常包含网站地址等信息,以确认您正在从依赖方期望的网站登录。
收到来自网站的质询后,您的设备将使用您的私钥创建签名响应。此响应表明您拥有网站存储的相应公钥,而无需泄露私钥本身。
依赖方在收到您签名的响应后验证存储的公钥。如果签名一致,网站可以确定您是真正的用户并授予您访问权限。没有交换密码,您的私钥安全地保留在您的设备上。
如何使用WebAuthn实现无密码身份验证
现在我们已经介绍了 WebAuthn 的基本概念,我们可以看到这一切在实践中如何发挥作用。我们将构建的应用程序将是一个简单的 Express.js 应用程序,带有几个用于处理注册和登录的 API 端点,一个包含登录和注册表单的基本 HTML 页面。
项目设置
首先,您需要从 GitHub 克隆项目,其中包含起始代码,因此我们不需要做太多脚手架。
在您的终端中,输入以下命令:
git clone https://github.com/josephden16/webauthn-demo.git
登录后复制
git checkout start-here # 注意:确保您位于启动分支
如果您想查看最终解决方案,请查看最终解决方案或主分支。
接下来,安装项目依赖项:
接下来,在项目的根目录中创建一个新文件 .env。将 .env.sample 的内容复制到其中,并提供适当的值:
# .env
PORT=8000
MONGODB_URL=<YOUR MONGODB CONNECTION STRING>
登录后复制
After following these steps, the project should run without throwing errors, but to confirm, enter the command below to start the development server:
With that, we've set up the project. In the next section, we'll add the login and registration form.
Creating the login and registration form
The next step in our process is creating a single form that can handle registration and logging in. To do this, we must create a new directory in our codebase called public. Inside this directory, we will create a new file called index.html. This file will contain the necessary code to build the form we need.
Inside the index.html file, add the following code:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>WebAuthn Demo</title>
<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link href="https://fonts.googleapis.com/css2?family=Inter:wght@100..900&display=swap" rel="stylesheet">
<script src="https://cdn.tailwindcss.com"></script>
<script src="https://unpkg.com/@simplewebauthn/browser/dist/bundle/index.umd.min.js"></script>
<style>
.font-inter {
font-family: 'Inter', sans-serif;
}
</style>
</head>
<body class="font-inter min-h-screen flex flex-col items-center p-24">
<h1 class="font-bold text-3xl mb-10">WebAuthn Demo</h1>
<div id="content">
<div>
<div id="error" role="alert"
class="bg-red-600 text-white p-2 w-full my-3 rounded-md text-center font-bold hidden"></div>
<div id="loginForm" class="text-center">
<input id="username" autocomplete="webauthn" type="text" placeholder="Username"
class="w-[20rem] px-4 py-2 mb-4 border rounded-md focus:outline-none focus:ring-2 focus:ring-blue-500">
<div class="flex justify-center space-x-4">
<button id="registerBtn" type="button"
class="bg-green-500 hover:bg-green-600 text-white font-semibold py-2 px-4 rounded-md">Register</button>
<button id="loginBtn" type="button"
class="bg-blue-500 hover:bg-blue-600 text-white font-semibold py-2 px-4 rounded-md">Login</button>
</div>
</div>
<div id="welcomeMessage" class="hidden text-center">
<h1 class="text-3xl font-bold mb-4">Welcome, <span id="usernameDisplay"></span>!</h1>
<p class="text-lg text-gray-600">You are now logged in.</p>
</div>
</div>
</div>
</body>
</html>
登录后复制
So, we've just added a simple login and registration form for users to sign in with WebAuthn. Also, if you check the
element, we've included the link to the Inter font using Google Fonts, Tailwind CSS for styling, and the SimpleWebAuthn browser package.
SimpleWebAuthn is an easy-to-use library for integrating WebAuthn into your web applications, as the name suggests. It offers a client and server library to reduce the hassle of implementing Webauthn in your projects.
When you visit http://localhost:8010, the port will be what you're using, you should see a form like the one below: 
Let's create a script.js file that'll store all the code for handling form submissions and interacting with the browser's Web Authentication API for registration and authentication. Users must register on a website before logging in, so we must implement the registration functionality first.
Head to the script.js file and include the following code:
const { startRegistration, browserSupportsWebAuthn } = SimpleWebAuthnBrowser;
document.addEventListener("DOMContentLoaded", function () {
const usernameInput = document.getElementById("username");
const registerBtn = document.getElementById("registerBtn");
const loginBtn = document.getElementById("loginBtn");
const errorDiv = document.getElementById("error");
const loginForm = document.getElementById("loginForm");
const welcomeMessage = document.getElementById("welcomeMessage");
const usernameDisplay = document.getElementById("usernameDisplay");
registerBtn.addEventListener("click", handleRegister);
loginBtn.addEventListener("click", handleLogin);
});
登录后复制
At the start of the code above, we import the necessary functions to work with WebAuthn. The document.addEventListener("DOMContentLoaded", function () { ... }) part ensures that the code inside the curly braces ({...}) executes after the web page is loaded.
It is important to avoid errors that might occur if you try to access elements that haven't been loaded yet.
Within the DOMContentLoaded event handler, we're initializing variables to store specific HTML elements we'll be working with and event listeners for the login and registration buttons.
Next, let's add the handleRegister() function. Inside the DOMContentLoaded event handler, add the code below:
async function handleRegister(evt) {
errorDiv.textContent = "";
errorDiv.style.display = "none";
const userName = usernameInput.value;
if (!browserSupportsWebAuthn()) {
return alert("This browser does not support WebAuthn");
}
const resp = await fetch(`/api/register/start?username=${userName}`, {
credentials: "include"
});
const registrationOptions = await resp.json();
let authResponse;
try {
authResponse = await startRegistration(registrationOptions);
} catch (error) {
if (error.name === "InvalidStateError") {
errorDiv.textContent =
"Error: Authenticator was probably already registered by user";
} else {
errorDiv.textContent = error.message;
}
}
if (!authResponse) {
errorDiv.textContent = "Failed to connect with your device";
return;
}
const verificationResp = await fetch(
`/api/register/verify?username=${userName}`,
{
credentials: "include",
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify(authResponse),
}
);
if (!verificationResp.ok) {
errorDiv.textContent = "Oh no, something went wrong!";
return;
}
const verificationJSON = await verificationResp.json();
if (verificationJSON && verificationJSON.verified) {
alert("Registration successful! You can now login");
} else {
errorDiv.textContent = "Oh no, something went wrong!";
}
}
登录后复制
The handleRegister() function initiates the registration process by retrieving the username entered by the user from an input field. If the browser supports WebAuthn, it sends a request to the /api/register/start endpoint to initiate the registration process.
Once the registration options are retrieved, the startRegistration() method initiates the registration process with the received options. If the registration process is successful, it sends a verification request to another API endpoint /api/register/verify with the obtained authentication response and alerts the user that the registration was successful.
Since we haven't built the API endpoint for handling user registration yet, it won't function as expected, so let's head back to the codebase and create it.
Building the registration API endpoints
To finish the registration functionality, we'll need two API endpoints: one for generating the registration options that'll be passed to the authenticator and the other for verifying the response from the authenticator. Then, we'll store the credential data from the authenticator and user data in the database.
Let's start by creating the MongoDB database models to store user data and passkey. At the project's root, create a new folder called models and within that same folder, create two new files: User.js for the user data and PassKey.js for the passkey.
In the User.js file, add the following code:
import mongoose from "mongoose";
const UserSchema = new mongoose.Schema(
{
username: {
type: String,
unique: true,
required: true,
},
authenticators: [],
},
{ timestamps: true }
);
const User = mongoose.model("User", UserSchema);
export default User;
登录后复制
We're defining a simple schema for the user model that'll store the data of registered users. Next, in the PassKey.js file, add the following code:
import mongoose from "mongoose";
const PassKeySchema = new mongoose.Schema(
{
user: {
type: mongoose.Schema.ObjectId,
ref: "User",
required: true,
},
webAuthnUserID: {
type: String,
required: true,
},
credentialID: {
type: String,
required: true,
},
publicKey: {
type: String,
required: true,
},
counter: {
type: Number,
required: true,
},
deviceType: {
type: String,
enum: ["singleDevice", "multiDevice"],
required: true,
},
backedUp: {
type: Boolean,
required: true,
},
authenticators: [],
transports: [],
},
{ timestamps: true }
);
const PassKey = mongoose.model("PassKey", PassKeySchema);
export default PassKey;
登录后复制
We have created a schema for the PassKey model that stores all the necessary data of the authenticator after a successful registration. This schema will be used to identify the authenticator for all future authentications.
Having defined our data models, we can now set up the registration API endpoints. Within the root of the project, create two new folders: routes and controllers. Within each of the newly created folders, add a file named index.js. Within the routes/index.js file, add the code below:
import express from "express";
import {
generateRegistrationOptionsCtrl,
verifyRegistrationCtrl,
} from "../controllers/index.js";
const router = express.Router();
router.get("/register/start", generateRegistrationOptionsCtrl);
router.post("/register/verify", verifyRegistrationCtrl);
export default router;
登录后复制
We're defining the routes we used earlier for user registration using Express.js. It imports two controller functions for generating registration options and verifying the response from the startRegistration() method that'll be called in the browser.
Let's start by adding the generateRegistrationOptionsCtrl() controller to generate the registration options. In the controllers/index.js file, add the following code:
// Import necessary modules and functions
import {
generateRegistrationOptions,
verifyRegistrationResponse,
} from "@simplewebauthn/server";
import {
bufferToBase64URLString,
base64URLStringToBuffer,
} from "@simplewebauthn/browser";
import { v4 } from "uuid";
import User from "../models/User.js";
import PassKey from "../models/PassKey.js";
// Human-readable title for your website
const relyingPartyName = "WebAuthn Demo";
// A unique identifier for your website
const relyingPartyID = "localhost";
// The URL at which registrations and authentications should occur
const origin = `http://${relyingPartyID}`;
// Controller function to generate registration options
export const generateRegistrationOptionsCtrl = async (req, res) => {
const { username } = req.query;
const user = await User.findOne({ username });
let userAuthenticators = [];
// Retrieve authenticators used by the user before, if any
if (user) {
userAuthenticators = [...user.authenticators];
}
// Generate a unique ID for the current user session
let currentUserId;
if (!req.session.currentUserId) {
currentUserId = v4();
req.session.currentUserId = currentUserId;
} else {
currentUserId = req.session.currentUserId;
}
// Generate registration options
const options = await generateRegistrationOptions({
rpName: relyingPartyName,
rpID: relyingPartyID,
userID: currentUserId,
userName: username,
timeout: 60000,
attestationType: "none", // Don't prompt users for additional information
excludeCredentials: userAuthenticators.map((authenticator) => ({
id: authenticator.credentialID,
type: "public-key",
transports: authenticator.transports,
})),
supportedAlgorithmIDs: [-7, -257],
authenticatorSelection: {
residentKey: "preferred",
userVerification: "preferred",
},
});
// Save the challenge to the session
req.session.challenge = options.challenge;
res.send(options);
};
登录后复制
First, we import the necessary functions and modules from libraries like @simplewebauthn/server and uuid. These help us handle the authentication process smoothly.
Next, we define some constants. relyingPartyName is a friendly name for our website. In this case, it's set to "WebAuthn Demo." relyingPartyID is a unique identifier for our website. Here, it's set to "localhost". Then, we construct the origin variable, the URL where registrations and authentications will happen. In this case, it's constructed using the relying party ID.
Moving on to the main part of the code, we have the controller generateRegistrationOptionsCtrl(). It's responsible for generating user registration options.
Inside this function, we first extract the username from the request. Then, we try to find the user in our database using this username. If we find the user, we retrieve the authenticators they've used before. Otherwise, we initialize an empty array for user authenticators.
Next, we generate a unique ID for the current user session. If there's no ID stored in the session yet, we generate a new one using the v4 function from the uuid library and store it in the session. Otherwise, we retrieve the ID from the session.
Then, we use the generateRegistrationOptions() function to create user registration options. After generating these options, we save the challenge to the session and send the options back as a response.
Next, we'll need to add the verifyRegistrationCtrl() controller to handle verifying the response sent from the browser after the user has initiated the registration:
// Controller function to verify registration
export const verifyRegistrationCtrl = async (req, res) => {
const body = req.body;
const { username } = req.query;
const user = await User.findOne({ username });
const expectedChallenge = req.session.challenge;
// Check if the expected challenge exists
if (!expectedChallenge) {
return res.status(400).send({ error: "Failed: No challenge found" });
}
let verification;
try {
const verificationOptions = {
response: body,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin: origin,
expectedRPID: relyingPartyID,
requireUserVerification: false,
};
verification = await verifyRegistrationResponse(verificationOptions);
} catch (error) {
console.error(error);
return res.status(400).send({ error: error.message });
}
const { verified, registrationInfo } = verification;
// If registration is verified, update user data
if (verified && registrationInfo) {
const {
credentialPublicKey,
credentialID,
counter,
credentialBackedUp,
credentialDeviceType,
} = registrationInfo;
const credId = bufferToBase64URLString(credentialID);
const credPublicKey = bufferToBase64URLString(credentialPublicKey);
const newDevice = {
credentialPublicKey: credPublicKey,
credentialID: credId,
counter,
transports: body.response.transports,
};
// Check if the device already exists for the user
const existingDevice = user?.authenticators.find(
(authenticator) => authenticator.credentialID === credId
);
if (!existingDevice && user) {
// Add the new device to the user's list of devices
await User.updateOne(
{ _id: user._id },
{ $push: { authenticators: newDevice } }
);
await PassKey.create({
counter,
credentialID: credId,
user: user._id,
webAuthnUserID: req.session.currentUserId,
publicKey: credPublicKey,
backedUp: credentialBackedUp,
deviceType: credentialDeviceType,
transports: body.response.transports,
authenticators: [newDevice],
});
} else {
const newUser = await User.create({
username,
authenticators: [newDevice],
});
await PassKey.create({
counter,
credentialID: credId,
user: newUser._id,
webAuthnUserID: req.session.currentUserId,
publicKey: credPublicKey,
backedUp: credentialBackedUp,
deviceType: credentialDeviceType,
transports: body.response.transports,
authenticators: [newDevice],
});
}
}
// Clear the challenge from the session
req.session.challenge = undefined;
res.send({ verified });
};
登录后复制
The verifyRegistrationCtrl() controller searches for a user in the database based on the provided username. If found, it retrieves the expected challenge from the session data. If there's no expected challenge, the function returns an error. It then sets up verification options and calls a function named verifyRegistrationResponse.
If an error occurs, it logs the error and sends a response with the error message. If the registration is successfully verified, the function updates the user's data with the information provided in the registration response. It adds the new device to the user's list of devices if it does not exist.
Finally, the challenge is cleared from the session, and a response indicates whether the registration was successfully verified.
Before we head back to the browser to test what we've done so far, return to the app.js file and add the following code to register the routes:
import router from "./routes/index.js"; // place this at the start of the file
app.use("/api", router); // place this before the call to `app.listen()`
登录后复制
Now that we've assembled all the pieces for the registration functionality, we can return to the browser to test it out.
When you enter a username and click the "register" button, you should see a prompt similar to the one shown below:
To create a new passkey, you can now scan the QR code with your Android or iOS device. Upon successfully creating the passkey, a response is sent from the startRegistration() method to the /register/verify endpoint. Still, you'll notice it fails because of the error sent from the API:
{
"error": "Unexpected registration response origin \"http://localhost:8030\", expected \"http://localhost\""
}
登录后复制
Why this is happening is because the origin that the verifyRegistrationResponse() method expected, which is http://localhost, is different from http://localhost:8010, was sent.
So, you might wonder why we can't just change it to http://localhost:8010. That’s because when we defined the origin in the controllers/index.js file, the relyingPartyID was set to "localhost", and we can't explicitly specify the port for the relying party ID.
An approach to get around this issue is to use a web tunneling service like tunnelmole or ngrok to expose our local server to the internet with a publicly accessible URL so we don't have to specify the port when defining the relyingPartyID.
Exposing your local server to the internet
Let's quickly set up tunnelmole to share the server on our local machine to a live URL.
First, let's install tunnelmole by entering the command below in your terminal:
sudo npm install -g tunnelmole
登录后复制
Next, enter the command below to make the server running locally available on the internet:
You should see an output like this from your terminal if it was successful: 
You can now use the tunnelmole URL as the origin:
const relyingPartyID = "randomstring.tunnelmole.net"; // use output from your terminal
const origin = `https://${relyingPartyID}`; // webauthn only works with https
登录后复制
Everything should work as expected, so head back to your browser to start the registration process. Once you're done, an alert should pop up informing you that the registration was successful and that you can now log in: 
We've successfully set up the user registration feature. The only thing left to do is implement the logging-in functionality.
Building the login functionality
The login process will follow a similar flow to the registration process. First, we’ll request authentication options from the server to be passed to the authenticator on your device.
Afterward, a request will be sent to the server to verify the authenticator's response. If all the criteria are met, the user can log in successfully.
Head back to the public/script.js file, and include the function to handle when the "login" button is clicked:
async function handleLogin(evt) {
errorDiv.textContent = "";
errorDiv.style.display = "none";
const userName = usernameInput.value;
if (!browserSupportsWebAuthn()) {
return alert("This browser does not support WebAuthn");
}
const resp = await fetch(`/api/login/start?username=${userName}`, {
credentials: "include",
headers: {
"ngrok-skip-browser-warning": "69420",
},
});
if (!resp.ok) {
const error = (await resp.json()).error;
errorDiv.textContent = error;
errorDiv.style.display = "block";
return;
}
let asseResp;
try {
asseResp = await startAuthentication(await resp.json());
} catch (error) {
errorDiv.textContent = error.message;
errorDiv.style.display = "block";
}
if (!asseResp) {
errorDiv.textContent = "Failed to connect with your device";
errorDiv.style.display = "block";
return;
}
const verificationResp = await fetch(
`/api/login/verify?username=${userName}`,
{
credentials: "include",
method: "POST",
headers: {
"Content-Type": "application/json",
"ngrok-skip-browser-warning": "69420",
},
body: JSON.stringify(asseResp),
}
);
const verificationJSON = await verificationResp.json();
if (verificationJSON && verificationJSON.verified) {
const userName = verificationJSON.username;
// Hide login form and show welcome message
loginForm.style.display = "none";
welcomeMessage.style.display = "block";
usernameDisplay.textContent = userName;
} else {
errorDiv.textContent = "Oh no, something went wrong!";
errorDiv.style.display = "block";
}
}
登录后复制
The function starts by clearing error messages and retrieving the user's username from the form. It checks if the browser supports WebAuthn; if it does, it sends a request to the server to initiate the login process.
If the response from the server is successful, it attempts to authenticate the user. Upon successful authentication, it hides the login form and displays a welcome message with the user's name. Otherwise, it displays an error message to the user.
Next, head back to the routes/index.js file and add the routes for logging in:
router.get("/login/start", generateAuthenticationOptionsCtrl);
router.post("/login/verify", verifyAuthenticationCtrl);
登录后复制
Don't forget to update the imports, as you're including the code above. Let's continue by adding the code to generate the authentication options. Go to the controllers/index.js file and add the following code:
// Controller function to generate authentication options
export const generateAuthenticationOptionsCtrl = async (req, res) => {
const { username } = req.query;
const user = await User.findOne({ username });
if (!user) {
return res
.status(404)
.send({ error: "User with this username does not exist" });
}
const options = await generateAuthenticationOptions({
rpID: relyingPartyID,
timeout: 60000,
allowCredentials: user.authenticators.map((authenticator) => ({
id: base64URLStringToBuffer(authenticator.credentialID),
transports: authenticator.transports,
type: "public-key",
})),
userVerification: "preferred",
});
req.session.challenge = options.challenge;
res.send(options);
};
登录后复制
The generateAuthenticationOptionsCtrl() controller starts by extracting the username from the request query and searching for the user in the database. If found, it proceeds to generate authentication options crucial for the process.
These options include the relying party ID (rpID), timeout, allowed credentials derived from stored authenticators, and user verification option set to preferred. Then, it stores the challenge from the options in the session for authentication verification and sends them as a response to the browser.
Let's add the controller for verifying the authenticator's response for the final part of the auth flow:
// Controller function to verify authentication
export const verifyAuthenticationCtrl = async (req, res) => {
const body = req.body;
const { username } = req.query;
const user = await User.findOne({ username });
if (!user) {
return res
.status(404)
.send({ error: "User with this username does not exist" });
}
const passKey = await PassKey.findOne({
user: user._id,
credentialID: body.id,
});
if (!passKey) {
return res
.status(400)
.send({ error: "Could not find passkey for this user" });
}
const expectedChallenge = req.session.challenge;
let dbAuthenticator;
// Check if the authenticator exists in the user's data
for (const authenticator of user.authenticators) {
if (authenticator.credentialID === body.id) {
dbAuthenticator = authenticator;
dbAuthenticator.credentialPublicKey = base64URLStringToBuffer(
authenticator.credentialPublicKey
);
break;
}
}
// If the authenticator is not found, return an error
if (!dbAuthenticator) {
return res.status(400).send({
error: "This authenticator is not registered with this site",
});
}
let verification;
try {
const verificationOptions = {
response: body,
expectedChallenge: `${expectedChallenge}`,
expectedOrigin: origin,
expectedRPID: relyingPartyID,
authenticator: dbAuthenticator,
requireUserVerification: false,
};
verification = await verifyAuthenticationResponse(verificationOptions);
} catch (error) {
console.error(error);
return res.status(400).send({ error: error.message });
}
const { verified, authenticationInfo } = verification;
if (verified) {
// Update the authenticator's counter in the DB to the newest count in the authentication
dbAuthenticator.counter = authenticationInfo.newCounter;
const filter = { username };
const update = {
$set: {
"authenticators.$[element].counter": authenticationInfo.newCounter,
},
};
const options = {
arrayFilters: [{ "element.credentialID": dbAuthenticator.credentialID }],
};
await User.updateOne(filter, update, options);
}
// Clear the challenge from the session
req.session.challenge = undefined;
res.send({ verified, username: user.username });
};
登录后复制
The verifyAuthenticationCtrl() controller first extracts data from the request body and query, including the username and authentication details. It then searches for the user in the database. If not found, it returns a 404 error.
Assuming the user exists, it proceeds to find the passkey associated with the user and provides authentication details. If no passkey is found, it returns a 400 error.
Then, the expected challenge value is retrieved from the session data and iterates over the user's authenticators to find a match.
After attempting the verification, if an error occurs, the error is logged to the console and a 400 error is returned. If the verification is successful, the authenticator's counter is updated in the database, and the challenge is cleared from the session. Finally, the response includes the verification status and the username.
Return to your browser to ensure that everything functions as expected. Below is a GIF demonstrating the entire authentication process: 
We've successfully implemented the WebAuthn authentication, providing our users with a fast, secure, and password-less way to authenticate themselves. With biometric information or physical security keys, users can access their accounts securely.
Benefits and limitations of WebAuthn
While WebAuthn presents a solution to modern authentication challenges, it's essential to understand its strengths and weaknesses. Below, we highlight the key advantages and potential drawbacks of adopting WebAuthn in your authentication strategy.
Benefits of WebAuthn
WebAuthn offers a higher security level than traditional password-based authentication methods because of how it leverages public key cryptography to mitigate the risks associated with password breaches and phishing attacks.
因此,即使发生网络攻击,犯罪者也只能访问您的公钥,而公钥本身不足以访问您的帐户。
对生物识别数据和物理安全密钥等各种身份验证因素的支持提供了灵活性,使您可以实施多因素身份验证以提高安全性。
由于 WebAuthn 目前受到大多数现代 Web 浏览器和平台的支持,因此许多用户都可以使用它。各种设备和操作系统之间的身份验证体验也是相同的,以确保一致性。
WebAuthn 的局限性
对于拥有复杂或遗留系统的组织来说,集成 WebAuthn 在技术上可能具有挑战性。然后想象一下您的用户可能使用的所有类型的设备以及任何其他相关的技术限制。
另一个重要的限制是人为因素——用户的身份验证过程有多容易访问?不熟悉该技术可能会让用户望而却步,或者需要创建教育和教学资源。
结论
在本文中,我们了解了 WebAuthn 如何提供无密码身份验证过程,该过程在幕后使用公钥加密技术来提供安全便捷的登录体验。通过实际示例和清晰的解释,我们介绍了如何在 Web 应用程序中设置 WebAuthn,以便在我们的应用程序中享受更流畅、更安全的身份验证方式。
LogRocket:通过了解上下文更轻松地调试 JavaScript 错误
调试代码始终是一项乏味的任务。但你越了解自己的错误,就越容易纠正它们。
LogRocket 允许您以新的、独特的方式理解这些错误。我们的前端监控解决方案跟踪用户与 JavaScript 前端的互动,使您能够准确查看用户的操作导致了错误。
LogRocket 记录控制台日志、页面加载时间、堆栈跟踪、带有标头 + 正文的慢速网络请求/响应、浏览器元数据和自定义日志。了解 JavaScript 代码的影响从未如此简单!
免费试用。
以上是实施 WebAuthn 以实现无密码登录的详细内容。更多信息请关注PHP中文网其他相关文章!
