LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

During WebAuthn registration, what does the authenticator create, and what exactly gets sent to the website?

The authenticator generates a new public/private key pair; the private key stays sealed on the device, and only the public key (inside an attestation object) is sent to the relying party.

Browser requests a challenge, calls create(); the authenticator makes a key pair and returns only the public key.

* WebAuthn registration: the device keeps the private key, sends only the public key. *

The registration sequence (navigator.credentials.create):

  1. User clicks "register"; the browser asks the relying party for a challenge.
  2. The relying party's script calls navigator.credentials.create() with that challenge and creation options.
  3. The user unlocks the authenticator (PIN/biometric).
  4. The authenticator generates a fresh key pair for this site, signs the challenge, and returns new credentials (the public key) + signed challenge.
  5. The browser forwards the public key to the relying party, which stores it against the user's account. Response: "Registered."

The user side is almost effortless: choose a username (often an email), pick the authenticator, unlock it. No password is ever created.

Tip: A separate key pair is generated per website, so credentials for site A can't be correlated with or used at site B — built-in protection against cross-site tracking.

Go deeper:

  • doc MDN: Web Authentication APInavigator.credentials.create()/get() and the credential objects in detail.
  • tool webauthn.io — live demo: register and log in with a passkey and watch the exact options/responses.

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: Jul 05, 2026