In FIDO2, it is the web application’s (service provider application’s) job to determine when to request a challenge for a FIDO2 workflow. At a bare minimum, the service provider must provide a method for new registrations and authentication (login) attempts.

For visualization purposes, these workflows will be associated with similar password-based workflows. This is not done to imply that FIDO2 workflows can be used as drop-in replacements for password workflows (e.g., a “change password” workflow does not have a clear FIDO2 equivalent), but rather to help in understanding the workflows.

Sample code is from StrongKey’s Basic Java Sample Application.