Is it possible to combine registration and authentication into a single step?

[comountainclimber]

Just wondering if there is some way I combine registration and authentication such that the user does not have to log in after registering, hopefully this question is clear

[spendres]

The passkey the user created during registration only exists on the user's device. So it's possible that the registration ceremony is interrupted before the passkey is stored in the user's keychain. Requiring the authentication step after registration ensures that the registration process was competed successfully. Remember, the "password" is no longer stored on the server. Authentication cannot happen without a passkey presented by the user, and you don't have the passkey on the server ever, even after registration.

[comountainclimber]

@spendres thanks for getting back to me, I have seen multiple demos seemingly combine these steps such as https://www.passkeys.io/

Is this demo just making an assumption that the authentication with this pass key will succeed in the future?

I cant seem to figure out how this is being done especially after given your answer, I also cant find any explanation in the docs https://simplewebauthn.dev/docs/packages/browser

If there is no way to ensure this its kind of a bizarre UX as the user needs to provide confirmation twice, back to back:

[Maronato]

I may be mistaken, but "authentication" here is just the server knowing that the user is who they say they are, and knowing that the user wants to start a new session.

With that, all the server needs to "authenticate" and start a new session is provided during the passkey registration flow.

So the solution to your issue is for the server to respond the "verify registration" request with a session, just as it would with the authentication request. Then, the browser never actually initiates the authentication flow for this user and just logs them in after registering.