Authenticating a user’s FIDO credential is handled in four(4) steps:

1. In the first step after a user submits their registration, a preauthenticate() webservice request is sent to SKFS; this returns a challenge and other directives/hints (inside PublicKeyCredentialCreationOptions) to serve as input to the WebAuthn API built into browsers:
   
   
   
   

2. In the second step, the challenge (and other directives/hints) are passed in to the browser’s WebAuthn API – specifically, the window.navigator.credentials.get method - to interact with the FIDO Authenticator to get a signed response from the FIDO Authenticator:
   
   
   
   

3. In the third step, a verifyForUsername() web-service is sent to SKFS with the Signed Response (and associated metadata). When SKFS has verified the credential’s metadata and its compliance with the security policy configured on SKFS, a username is returned in the response:
   
   
   
   

4. In the fourth and final step, an authenticate() web-service is sent to SKFS with the Username and Signed Response (and associated metadata). When SKFS has verified the credential’s metadata and its compliance with the security policy configured on SKFS, the credential is registered in SKFS: