Add passwordless/usernameless section to README

emlun · emlun · commit b58a5f414edf · 2021-09-16T14:14:05.000+02:00
diff --git a/README b/README
@@ -275,7 +275,7 @@ First, generate authentication parameters and send them to the client:
 [source,java]
 ----------
 AssertionRequest request = rp.startAssertion(StartAssertionOptions.builder()
-    .username("alice")  // Omit for username-less login
+    .username("alice")
     .build());
 String credentialGetJson = request.toCredentialGetJson();
 return credentialGetJson;  // Send to client
@@ -350,6 +350,71 @@ updateCredential(              // Some database access method of your own design
 Then do whatever else you need - for example, initiate a user session.
 
 
+=== Passwordless, username-less authentication
+
+WebAuthn supports passwordless multi-factor authentication via on-authenticator
+https://www.w3.org/TR/webauthn-2/#user-verification[user verification],
+and username-less authentication via
+https://www.w3.org/TR/webauthn-2/#discoverable-credential[discoverable credentials]
+(sometimes the term "passwordless" is used to mean the combination of both, but
+here the two are treated separately).
+
+Discoverable credentials must be enabled at registration time by setting the
+link:https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-authenticatorselection[`authenticatorSelection`].link:https://www.w3.org/TR/webauthn-2/#dom-authenticatorselectioncriteria-residentkey[`residentKey`]
+option:
+
+[source,java]
+----------
+PublicKeyCredentialCreationOptions request = rp.startRegistration(
+  StartRegistrationOptions.builder()
+    .user(/* ... */)
+    .authenticatorSelection(AuthenticatorSelectionCriteria.builder()
+        .residentKey(ResidentKeyRequirement.REQUIRED)
+        .build())
+    .build());
+----------
+
+The username can then be omitted when starting an authentication ceremony:
+
+[source,java]
+----------
+AssertionRequest request = rp.startAssertion(StartAssertionOptions.builder().build());
+----------
+
+Some authenticators might enable this feature even if not required, and setting
+the `residentKey` option to `ResidentKeyRequirement.PREFERRED` will enable it if the
+authenticator supports it. The
+https://www.w3.org/TR/webauthn-2/#sctn-authenticator-credential-properties-extension[`credProps` extension]
+can be used to determine whether the created credential is discoverable, and is enabled by default.
+
+User verification can be enforced independently per authentication ceremony:
+
+[source,java]
+----------
+AssertionRequest request = rp.startAssertion(StartAssertionOptions.builder()
+    .username("alice")
+    .userVerification(UserVerificationRequirement.REQUIRED)
+    .build());
+----------
+
+Then `RelyingParty.finishAssertion(...)` will enforce that user verification was
+performed. However, there is no guarantee that the user's authenticator will
+support this unless the user has some credential created with the
+link:https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-authenticatorselection[`authenticatorSelection`].link:https://www.w3.org/TR/webauthn-2/#dom-authenticatorselectioncriteria-userverification[`userVerification`]
+option set:
+
+[source,java]
+----------
+PublicKeyCredentialCreationOptions request = rp.startRegistration(
+  StartRegistrationOptions.builder()
+    .user(/* ... */)
+    .authenticatorSelection(AuthenticatorSelectionCriteria.builder()
+        .userVerification(UserVerificationRequirement.REQUIRED)
+        .build())
+    .build());
+----------
+
+
 == Architecture
 
 The library tries to place as few requirements on the overall application
