I went in some details about the webauthn protocol in order to achieve passwordless authentication.
IMHO, the most common case would still be registering and signing in users using their email. For this use case, the flow would look like follows.
Of course, you could also skip the email registration and let the user just pick some username. Perhaps some people would even be more comfortable for privacy reasons. On one hand, this makes registration even easier since you skip the email sending step. On the other hand you have to think about ways to recover the account in case of device loss, and since you don not possess the email, must think of some alternative, like discussed in my previous article.
Once you stored the public key, you can directly authenticate users. This is pretty straightforward.
I am tempted to build a demo using spring boot showing a minimal working example, perhaps even including some recovery options or ways to add multiple devices. If you have interest in this, please leave a message. After all, writing code if nobody even cares sounds kind of dull.
Thanks for reading.