This:
https://www.w3.org/TR/webauthn/
Quoting:
"The below use case scenarios illustrate use of two very different types of authenticators, as well as outline further scenarios. Additional scenarios, including sample code, are given later in §12 Sample Scenarios.
1.2.1. Registration
On a phone:
User navigates to example.com in a browser and signs in to an existing account using whatever method they have been using (possibly a legacy method such as a password), or creates a new account.
The phone prompts, "Do you want to register this device with example.com?"
User agrees.
The phone prompts the user for a previously configured authorization gesture (PIN, biometric, etc.); the user provides this.
Website shows message, "Registration complete."
1.2.2. Authentication
On a laptop or desktop:
User pairs their phone with the laptop or desktop via Bluetooth.
User navigates to example.com in a browser and initiates signing in.
User gets a message from the browser, "Please complete this action on your phone."
Next, on their phone:
User sees a discrete prompt or notification, "Sign in to example.com."
User selects this prompt / notification.
User is shown a list of their example.com identities, e.g., "Sign in as Alice / Sign in as Bob."
User picks an identity, is prompted for an authorization gesture (PIN, biometric, etc.) and provides this.
Now, back on the laptop:
Web page shows that the selected user is signed in, and navigates to the signed-in page. (...)"
