What is Assertion in WebAuthn?

In WebAuthn, assertion describes two things:

Firstly, an assertion is the process to prove that the authenticator has possession of the private key during the login phase. Its primary function is to:

• Offer proof that the authenticator has possession of the private key.
• Provide details about the credential and other pertinent information.

Secondly, during the login phase an assertion object is created by the authenticator and returned to the Relying Party to communicate information about the used credential and the above mentioned validation.

This can be seen in the process flow of the Login in WebAuthn:

{
    "root": {
        "id": "QFPlQVypLmmx71e0tmS3IfCFky0",
        "rawId": "QFPlQVypLmmx71e0tmS3IfCFky0",
        "type": "public-key",
        "response": {
            "authenticatorData": {
                "rpIdHash": "t8DGRTBfls-BhOh2QC404...",
                "flags": {
                    "userPresent": true,
                    "userVerified": true,
                    "backupEligible": true,
                    "backupStatus": true,
                    "attestedData": true,
                    "extensionData": true
                },
                "counter": 0
            },
            "clientDataJSON": {
                "type": "webauthn.get",
                "challenge": "EGYtAMgi8B2Ey1FNVfVF93...",
                "origin": "https://passkeys.eu",
                "crossOrigin": false
            },
            "signature": "MEQCICx0J-G4mmL3g0TFK3uVxQN5...",
            "userHandle": "YWxleCBtdWxsZXI"
        },
        "authenticatorAttachment": "platform"
    }
}

Continue reading for a technical breakdown of the most important attributes.

The assertion object contains many attributes, here's a quick explanation of some selected attributes:

"flags": {
    "userPresent": true,
    "userVerified": true,
    "backupEligible": true,
    "backupStatus": true,
    "attestedData": true,
    "extensionData": true
}

The flags provide important information about the authentication.

• userPresent (UP): If set to true, physical user presence was tested by the authenticator (e.g. by pressing a button or touching a key).
• userVerified (UV): If set to true, the user was verified by the authenticator, e.g. with a fingerprint scan or entering a PIN.

Warning: Only if BOTH flags are set to true, the attestation is a 2-Factor-Authentication. If only UP is set to true, the login is considered a Single-Factor-Authentication.

• backupEligible (BE): If set to true, the credential can be backed up (e..g in iCloud Keychain) and thus be made available on another authenticator.
• backupStatus (BS): If set to true, the credential is currently backed up (e.g. in iCloud Keychain) and thus could be available on another authenticator (e.g. with access to the same iCloud Keychain).

Possible Combinations and their meanings are:

• BE=0; BS=0: The credential is a single-device credential.
• BE=1; BS=0: The credential is a multi-device credential and currently not backed up.
• BE=1; BS=1: The credential is a multi-device credential and currently backed up

"clientDataJSON": {
        "type": "webauthn.get",
        "challenge": "AAABeB78HrIemh1jTdJICr_3QG_RMOhp",
        "origin": "https://passkeys.eu",
        "crossOrigin": false
      }

Read more about clientDataJSON in the respective glossary article.

{
    "signature": "MEQCICx0J-G4mmL3g0TFK3uVxQN5..."
}

The signature is used to verify that the user trying to log in, actually has the private key. It is created by concatenating the authenticatorData and clientDataHash (i.e. the SHA-256 version of ClientDataJSON) and signing the result with the private key (in the authenticator). To verify with the public key, we concatenate authenticatorData and clientDataHash as well. If the verification result returns true, the authentication is successful.

• Assertion in WebAuthn is vital as it provides the signed challenge and thus ensures that the authentication process is carried out by a trusted device

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →