What is the relay server ?

Question

Created Jun ’22

Replies 1

Boosts 0

Views 1.2k

Participants 3

When logging into the website from a Mac using passkey from a nearby device, the session said a local connection will be constructed and both the device will connect to a relay server.

First, the client shows a QR code, which the authenticator scans. This QR code contains a URL that encodes a pair of single-use encryption keys. Then, the authenticator produces a Bluetooth advertisement containing routing information for a network relay server. This local exchange allows selecting a server and sharing routing information, but also serves two additional functions.

Once the local exchange and key agreement have happened, the two devices connect to a relay server picked by the phone. From there, they perform a standard FIDO CTAP operation, which is encrypted using the keys from earlier, so the relay server can't see anything that's going on.

My question is what the relay server actually is? Is it the web browser or a server running on the nearby device?

Boost

Answer 1

Systems Engineer OP

Apple

Jun ’22

The relay server is an external web server picked by the authenticator, which "relays" messages between the authenticator (the device that scanned the QR code, such as a phone) and the client (the device showing the QR code, such as a web browser on a computer). The BLE advertisement produced by the authenticator contains the address and routing information for the relay server, so the client knows where to connect. When the authenticator is an iPhone or iPad, the relay server is an Apple server. Everything going over the network is end-to-end encrypted using the keys exchanged between the QR code and the BLE advertisement, so the relay server can't read any traffic going through it.

1