Basically, the main components are the base class (common implementation) and a couple of small classes to store and retrieve credentials in the database (specific implementations). Then there's some JavaScript that hits your API to interact with the backend classes, do the handshakes, and communicate the results to the user.
Depending on where you decide to call webAuthnAssert.js in your login flow, you can use WebAuthn either as passwordless single-factor authentication or as multi-factor authentication with or without TOTP. I'm using the passwordless option to limit logins to one request.
FYI, BioGazelle has a robust WebAuthn/FIDO2 implementation. I'll link the backend library documentation, the frontend library documentation, and the source for the various files:
Basically, the main components are the base class (common implementation) and a couple of small classes to store and retrieve credentials in the database (specific implementations). Then there's some JavaScript that hits your API to interact with the backend classes, do the handshakes, and communicate the results to the user.
Depending on where you decide to call
webAuthnAssert.js
in your login flow, you can use WebAuthn either as passwordless single-factor authentication or as multi-factor authentication with or without TOTP. I'm using the passwordless option to limit logins to one request.