Share via


makeCredential method

Creates a Web Authentication credential for the user.

Warning  The current Microsoft Edge implementation is based on an earlier draft of the Web Authentication specification and is likely to change in the future. Consider using the Webauthn.js polyfill, so you can code to the current spec instead of the in-progress Microsoft implementation.

 

Syntax

var retval = MSCredentials.makeCredential(accountInfo, cryptoParams, challenge);

Parameters

  • accountInfo
    Type: MSAccountInfo

    User identifier information for the site

    dictionary MSAccountInfo
    {
        required DOMString rpDisplayName;  // Name of relying party, e.g., "Contoso"
        required DOMString userDisplayName; // Name of user account in relying party, e.g., "John Doe" 
        DOMString accountName;  //Detailed name of account, e.g., "johndoe@contoso.com"
        DOMString userId; //Account identifier, e.g., "joed"
        DOMString accountImageUri;  // User's account image
    };
    
  • cryptoParams
    Type: sequence<MSCredentialParameters>

    Specifies the desired crypto algorithm to use

    dictionary MSCredentialParameters
    {
        MSCredentialType type; // "FIDO_2_0"
        (DOMString or Algorithm) algorithm; // E.g., "RSASSA-PKCS1-v1_5"
    };
    
  • challenge [optional]
    Type: DOMString

    Produces an attestation statement that specifies to the server the security measures implemented by the authenticator for its credentials

Return value

Type: Promise<MSAssertion>

Object containing information on the credential ID,crypto algorithm, public key, and the attestation challenge. The credential ID will be used to identify the public and private key pairs. You will then send this information back to the server for validating future authentications.

var accountInfo = {
      rpDisplayName: 'Contoso',     // Name of relying party
      userDisplayName: 'John Doe'   // Name of user account 
    }; 
    
    var cryptoParameters = [
      {
        type: 'FIDO_2_0',
        algorithm: 'RSASSA-PKCS1-v1_5'
      } 
    ];


window.msCredentials.makeCredential(accountInfo,  cryptoParameters) 
.then(function (cred) { 
    // If promise succeeds, send credential information to the server 
    sendToServer({ 
        credential: {type: "FIDO", id: cred.id}, 
        algorithm: cred.algorithm, 
        publicKey: JSON.parse(cred.publicKey), 
        attestation: cred.attestation }); 
});

Remarks

When you use the makeCredential method, Microsoft Edge will first ask Windows Hello to use face or fingerprint identification to verify that the user is the same user as the one logged into the Windows account. Once this step is completed, Microsoft Passport will generate a public/private key pair and store the private key in the Trusted Platform Module (TPM), the dedicated crypto processor hardware used to store credentials. If the user doesn’t have a TPM enabled device, these keys will be stored in software. These credentials are created per origin, per Windows account, and will not be roamed because they are tied to the device. This means that you’ll need to make sure the user registers to use Windows Hello for every device they use.

Before registering the credential to a user on your server, you will need to confirm the identity of the user. This can be done by sending the user an email confirmation or asking them to use their traditional login method.