Skip to main content

How do passkeys work with Bravura Safe?

This topic provides a deeper, more technical dive into how passkeys are created and how they work with Bravura Safe.

Bravura Safe discoverable passkey creation requires the following steps:

  1. Registration is initiated:

    You (the user) decide to register for a new website or online service account [or add a new credential (passkey) to an existing account] and begin the registration process.

  2. Credential (passkey) creation is requested:

    The website or online service, which allows discoverable passkey authentication (in this context, technically referred to as the Relying Party or RP), requests creation of a new credential (passkey) using the WebAuthn create() function.

  3. A cryptographic key pair is generated:

    Bravura Safe detects the request and generates a new public-private cryptographic key pair. The private key is securely stored in Bravura Safe, while the public key is shared with the website or online service.

  4. Your user handle is associated:

    Bravura Safe associates the generated public key with your user handle (user ID), which represents the mapping of a public key credential to a user account with the Relying Party (RP). The RP sets its value, user.id.

  5. The passkey credential is finalized:

    Registration is complete once the public key and user handle are sent to the website or online service (RP) and the service acknowledges and stores this information.

Bravura Safe passkey authentication requires the following steps:

  1. A log in is requested:

    Using your browser, you attempt to log in to a website or online service.

  2. An authentication request is sent:

    The website or online service sends out an authentication request. This request is not specific to any user or credential .

  3. Your associated credential (passkey) is located:

    Bravura Safe automatically detects the authentication request and searches for a discoverable credential (passkey) associated with the website or online service's domain.

  4. Your identity is verified:

    You are prompted by Bravura Safe to verify your identity (via PIN, biometric scan or other verification method) to unlock the stored private key.

  5. The challenge is signed:

    Once your identity is verified, Bravura Safe uses the private key to sign the challenge from the website or online service.

  6. The challenge is submitted:

    Bravura Safe sends the signed challenge and your user handle back to the website or online service.

  7. The signature is verified:

    The website or online service verifies the signed challenge using the stored public key associated with the user handle.

  8. Access is granted:

    If the signature is valid, the website or online service grants you access.

In this section: