Is registering a new user the same as Signing them up?

[ericlhopper]

Quick question with regards to comments in the Server example code:

I'm attempting to use the Server/Browser components provided to allow a user to Sign-up without a password.

I'm confused by the following comments in the code snippet below:
// (Pseudocode) Retrieve the user from the database
// after they've logged in
const user: UserModel = getUserFromDB(loggedInUserId);

If I'm Signing up (registering) a new user, how can they be logged in?

Is it possible to create a new user account when generating attestation options?

Thank you for any insights!

[MasterKale]

WebAuthn can be used for three types of authentication:

• Two-Factor Auth (2FA)
• Passwordless
• Usernameless

The most common use case for WebAuthn, for 2FA or Passwordless, require you to have already created a user account in your system before you can then allow them to register authenticators. The credential ID and public key you get back from registration needs to be associated to that user account by your internal ID for them so that, later, when they authenticate themselves to log back into their account you can handle that.

Typically this would involve the user creating an account with you first, however you choose to handle that, before you prompt them to register authenticators for later 2FA or Passwordless authentication. The subtle point is, "after they've logged in" really means "after you've definitively identified the user, however you choose to allow them to get to that point, so that you can know their assigned ID to use with WebAuthn".

Does this make sense?

[ericlhopper]

Makes perfect sense. I was getting "logged in" confused with username/password logins. We actually verify a user's email with a challenge code. After this we will create the account and then register an authenticator with your libraries. Thank you for the clarification.

…

On Thu, Aug 19, 2021 at 3:42 PM Matthew Miller ***@***.***> wrote: WebAuthn can be used for three types of authentication: - Two-Factor Auth (2FA) - Passwordless - Usernameless The most common use case for WebAuthn, for *2FA* or *Passwordless*, require you to have already created a user account in your system before you can then allow them to register authenticators. The credential ID and public key you get back from registration needs to be associated to that user account by your internal ID for them so that, later, when they authenticate themselves to log back into their account you can handle that. Typically this would involve the user creating an account with you first, however you choose to handle that, before you prompt them to register authenticators for later 2FA or Passwordless authentication. The subtle point is, "after they've logged in" really means "after you've definitively identified the user, however you choose to allow them to get to that point, so that you can know their assigned ID to use with WebAuthn". Does this make sense? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#146 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AVIXMYXNHSSFU45JULUXMXDT5WCHFANCNFSM5CPDOAIA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> .

-- [image: signature_131014372] CONFIDENTIALITY NOTE: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and protected from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify me by telephone or email and permanently delete the original and any copy of this e-mail and destroy any printout thereof.