getAssertion method

  • Article

Authenticates the user using Windows Hello

Warning  The current Microsoft Edge implementation is based on an earlier draft of the Web Authentication specification and is likely to change in the future. Consider using the Webauthn.js polyfill, so you can code to the current spec instead of the in-progress Microsoft implementation.

 

Example usage:

var challenge = getChallengefromServer();   // Server will send challenge 
var id = getCredentialIDFromLocalStorage(); // Pull ID from local storage


var filters = { 
    accept: [ 
    { 
        type: 'FIDO_2_0', 
        id:  id
     }] 
}; 

window.msCrendentials.getAssertion(challenge, filters) 
    .then(function(attestation) { 
        // Send signed challenge and meta data to server 
        sendToServer({ 
            credential: {type: 'FIDO', id: attestation.id}, 
            clientData: attestation.signature.clientData, 
            authnrData: attestation.signature.authnrData, 
            signature: attestation.signature.signature 
        }; 
    ); 
});

Syntax

var retval = MSCredentials.getAssertion(challenge, filters);

Parameters

  • challenge
    Type: DOMString

    The randomly generated challenge that the server sends down to the client

  • filters
    Type: MSCredentialFilter

    An allow list of credential ID information for locating the correct private key. Note that the accept object is required for the filters parameter.

    var filters = { 
    accept: [ 
    { 
        type: 'FIDO_2_0',
        id:  id
    }] 
};

Return value

Type: Promise<MSAssertion>

Object containing the signature and other metadata to be sent to the server

window.msCrendentials.getAssertion(challenge, filters) 
    .then(function(attestation) { 
        // Send signed challenge and meta data to server 
        sendToServer({ 
            credential: {type: 'FIDO', id: attestation.id}, 
            clientData: attestation.signature.clientData, 
            authnrData: attestation.signature.authnrData, 
            signature: attestation.signature.signature 
        }; 
    ); 
});

Remarks

The Microsoft Edge implementation currently requires the credential ID and does not yet support the account picker experience. Thus for the passwordless case, you’ll need to store your credential ID information in local storage on the client, either in IndexDB or localStorage when making your credential. If a user deletes their browsing history, including local storage, they will need to re-register to use Windows Hello the next time they log in.

Once the getAssertion call is made, Microsoft Edge will show the Windows Hello prompt, which will verify the identity of the user using biometrics. After the user is verified, the challenge will be signed within the TPM and the promise will return with a MSAssertion object to be sent to the server.

Once you receive the assertion on the server, you will need to validate the signature. For more info, see the C#, PHP and Node.JS samples.

See also

MSCredentials