This document provides a comprehensive overview of how OTPless Passkey integrates with your app/website to offer secure, passwordless biometric authentication for end users. The integration is based on the FIDO 2.0 framework, leveraging the security and convenience of passkeys. The focus is on the technical flow within the OTPless SDK, key entities like the Relying Party (RP), Authenticator, and Client, and how passkeys enable strong authentication. Additionally, it details the backend checks OTPless performs to verify the authenticator’s response during both registration and login.
A Passkey is a passwordless authentication mechanism built on FIDO 2.0 that uses asymmetric cryptography public-private key pairs for authentication. The passkey is stored securely on the user’s device (Authenticator) and never leaves the device. It is used to sign authentication challenges, providing a highly secure and convenient login or transaction approval experience.
In this context, you/client is the Relying Party (RP), the entity that wants to verify the user’s identity for a particular action (login or transaction approval). The RP is responsible for triggering the authentication flow and verifying the response returned by the user’s device (via OTPless).
The Authenticator is a device (platform or roaming) that stores the user’s private key and performs biometric authentication. It can be a mobile device’s fingerprint scanner, face ID, or an external hardware key. The Authenticator never exposes the private key and uses it to sign challenges generated by the RP.
The Client refers to the user’s device (e.g., mobile app or browser) where the OTPless SDK is integrated. It facilitates communication between the Authenticator and the Relying Party, ensuring the biometric verification process is secure and seamless.
The FIDO 2.0 framework underpins the passkey-based authentication system, offering strong, passwordless authentication using public-key cryptography. FIDO 2.0 guarantees that sensitive information like biometric data or private keys never leave the device.
OTPless enables secure, passwordless login and transaction authentication using passkeys. Your App integrates OTPless to ensure seamless and secure identity verification without relying on passwords/OTPs.
Transaction Authentication: Users can approve payment transactions using their passkeys, ensuring that only the authenticated user can authorize the transaction.
Login Authentication: Users can log into the Bank’s platform securely without passwords by using their passkey.
The registration flow outlines how a user enrolls their biometrics on your platform via the OTPless SDK to generate a passkey. The main difference between registration and login is that during registration, the user’s public key is transmitted to OTPless for future authentication.
Client/RP (as the Relying Party) sends a request to the OTPless initiate API, passing the User ID using a server-to-server call.
OTPless generates a request_id and returns it to the Client server.
Invoke OTPless SDK with Request ID
Clients frontend (browser/mobile app) invokes the OTPless SDK with the request_id.
OTPless SDK Collects Device and Network Data
The OTPless SDK gathers device information (e.g., OS version, device type) and network information to ensure the authenticity of the device and for device management.
Generate Challenge for Registration
OTPless generates a challenge (random unique string) that will be signed by the authenticator during the registration process. This challenge ensures that the registration process is secure and originates from a trusted source.
Generate Passkey (Public-Private Key Pair)
The Authenticator on the user’s device generates a public-private key pair.
The public key is sent to OTPless, while the private key remains securely stored in the authenticator (e.g., the user’s mobile device or security key).
Biometric Authentication and Challenge Signing
The Authenticator uses the private key to sign the challenge.
Passkey Registration
OTPless stores the public key in its backend for future authentication. This is the passkey’s public component, associated with the user.
Backend Validation:
OTPless validates the incoming public key and ensures that it matches the user’s device information and challenge.
The challenge is verified using the signed response from the authenticator.
RP Verifies Token
RP’s backend verifies the access token by a server-to-server call to OTPless and proceeds with the transaction or login based on successful authentication.
4.2 Login/Authentication Flow Using Passkey (FIDO 2.0)
In the login/authentication flow, the process is almost identical to registration, with the exception that the public key is not transmitted again. Instead, the stored public key is used to verify the signed challenge from the user’s authenticator.
RP initiates the authentication process by calling the OTPless initiate API, passing the User ID.
OTPless generates a request_id and sends it back to Client.
Invoke OTPless SDK with Request ID
RP’s frontend invokes the OTPless SDK using the request_id.
The SDK triggers the biometric authentication process.
Generate Challenge
The OTPless Backend generates a challenge (a random string) and sends it to the SDK on the client’s device.
Biometric Authentication and Challenge Signing
The Authenticator verifies the user’s biometrics (e.g., fingerprint, face ID).
Upon successful verification, the Authenticator uses the private key to sign the challenge.
Return Signed Challenge
The signed challenge is returned to the OTPless backend via the SDK.
Backend Verification
OTPless verifies the signed challenge using the public key stored during registration. The checks include:
Signature Verification: Ensures the signature is valid and was made using the correct private key.
Challenge Validation: Verifies that the returned signed challenge matches the one issued during the authentication process.
Device Check: Ensures the request is coming from the same device associated with the public key.
If all checks pass, OTPless generates an access token.
RP Verifies Token
RP’s backend verifies the access token by a server-to-server call to OTPless and proceeds with the transaction or login based on successful authentication.
The SDK collects information about the device (e.g., OS type, version, model) and the network (e.g., IP, geolocation) to ensure context-aware authentication and security.
The FIDO 2.0 framework provides the foundation for the secure and passwordless authentication system used by OTPless Passkey. Key security features include:
Public-Key Cryptography: The passkey system uses asymmetric encryption, where the private key remains securely stored on the user’s device, and the public key is used to verify the signed challenges.
Device-Based Security: Biometric data and the private key are never exposed or transmitted, making it resistant to phishing and man-in-the-middle attacks.
GDPR Compliance: User data, including biometrics, are never exposed to third parties. Only encrypted tokens and public keys are transmitted.
PSD2 Compliance: Passkey-based authentication complies with strong customer authentication (SCA) requirements, making it ideal for financial transactions.
OTPless Passkey integrates seamlessly with RP platform to provide a passwordless, highly secure biometric authentication system based on the FIDO 2.0 framework. The use of passkeys ensures that sensitive information is never compromised, offering a future-proof solution for both login and transaction authentication.
