Registering a user’s FIDO credential is handled in three (3) steps:
In the first step after a user submits her registration, a preregister() webservice request is sent to SKFS; this returns a challenge and other directives/hints (inside PublicKeyCredentialCreationOptions) to serve as input to the WebAuthn API built into browsers:
In the second step, the challenge (and other directives/hints) are passed in to the browser’s WebAuthn API – specifically, the window.navigator.credentials.create method – to interact with the FIDO Authenticator to get a newly generated credential:
In the third and final step, a register() webservice is sent to SKFS with the newly generated FIDO credential (and associated metadata). When SKFS has verified the credential’s metadata and its compliance with the security policy configured on SKFS, the credential is registered in SKFS: