PasskeyAuthService
Component Detail
Description
Implements the server-side FIDO2/WebAuthn ceremony for both registration and authentication. Generates cryptographic challenges, verifies authenticator responses, and issues session tokens upon successful assertion. Acts as the single authority for passkey lifecycle including credential revocation and device management.
passkey-auth-service
Sources & reasoning
Passkeys are not mentioned in the source document. The feature appears in the authoritative blueprint with target_release v1.1. No phase evidence exists in source docs, so blueprint assignment is used directly. v1.1 aligns with Phase 3 ordinal position. The feature is a logical evolution of the biometric-login foundation and industry direction for passwordless auth on iOS/Android.
No source references — this artifact was included based on reasoning alone (see above).
Responsibilities
- Generate and store time-limited registration and authentication challenges
- Validate authenticator attestation responses during credential registration
- Verify authenticator assertion signatures during authentication and check counter values
- Issue and return session tokens upon successful passkey authentication
- Revoke passkey credentials on user request or security policy triggers
Interfaces
generateRegistrationOptions(userId: string): Promise<PublicKeyCredentialCreationOptions>
verifyRegistration(userId: string, response: RegistrationResponseJSON): Promise<VerifiedRegistration>
generateAuthenticationOptions(userId: string): Promise<PublicKeyCredentialRequestOptions>
verifyAuthentication(userId: string, response: AuthenticationResponseJSON): Promise<AuthToken>
revokeCredential(credentialId: string, userId: string): Promise<void>