LOGBOOK

HELP

Quiz Entry - updated: 2026.05.26

At the final WebAuthn login step, how does the relying party confirm the user without ever receiving a password or private key?

The client sends back the challenge signed by the private key; the relying party verifies that signature using the public key it stored at registration — a valid signature proves possession of the private key.

This is asymmetric cryptography doing the heavy lifting:

  • Only the private key (sealed in the authenticator) could have produced a signature that verifies against the stored public key.
  • The relying party runs the verification locally with the public key — it needs no secret of its own and receives no secret from the user.
  • A correct signature ⇒ "this is the same entity that registered the public key" ⇒ authentication succeeds.

Nothing reusable ever crosses the wire: not a password, not the private key — just a one-time signature over a one-time challenge.

Tip: Contrast with cookies/passwords, where the server stores a secret (password hash or session) that's valuable to steal. Here the server stores only a public key — breaching the relying party's database yields nothing an attacker can log in with.

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: May 26, 2026