From sgcWebSockets 2025.4.0 Enterprise, the WebAuthn Protocol is supported (currently in BETA).
WebAuthn (Web Authentication) is a web standard developed by the World Wide Web Consortium (W3C) and FIDO Alliance to enable secure, passwordless authentication on the web. It is part of the broader FIDO2 framework and aims to reduce reliance on traditional passwords, which are often vulnerable to phishing, credential stuffing, and other attacks.
At its core, WebAuthn allows users to authenticate using public-key cryptography. Instead of a username and password, users register a unique public-private key pair with a web application (the Relying Party). The private key is securely stored on an authenticator—such as a hardware security key, smartphone, or built-in biometric device—while the public key is stored on the server.
During authentication, the server issues a challenge that must be signed by the user's private key. The signed challenge is returned and verified using the stored public key, ensuring both the integrity and origin of the response. This approach prevents credentials from being intercepted or reused.
WebAuthn supports a range of authenticators and devices, making it flexible for both developers and users. It also enables multi-factor authentication (MFA) when combined with other factors like PINs or biometrics, significantly improving security without sacrificing usability.
Different attestation formats define how this data is structured and verified. Three commonly used formats are android-key, packed, and others like fido-u2f, apple, or none. By default all attestation formats are enabled, you can find below the list of supported attestation formats:
Find below a simple configuration of the WebAuthn Server:
12345678910111213141516171819202122232425// ... create the serversHTTPServer := TsgcWebSocketHTTPServer.Create(nil);WebAuthnServer := TsgcWSAPIServer_WebAuthn.Create(nil);WebAuthnServer.Server := HTTPServer;// ... enable for testingWebAuthnServer.EndpointsOptions.Test.Enabled := True;// ... WebAuthn optionsWebAuthnServer.WebAuthnOptions.RelyingParty := 'localhost';// ... bindingsServer.Port := 443;HTTPServer.SSLOptions.Port := 443;HTTPServer.Bindings.Clear;With HTTPServer.Bindings.Add dobeginPort := 443;IP := '127.0.0.1';end;HTTPServer.SSLOptions.Certificate := 'sgc.pem';HTTPServer.SSLOptions.KeyFile := 'sgc.pem';HTTPServer.SSL := True;// ... activeHTTPServer.Active := True;
The following Delphi WebAuthn Demo shows how to register a new credential and use after to authenticate the user.
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.