How to prevent creation of multiple passkeys for 1 account?

In WebAuthn-based authentication, it is possible for users to create multiple passkeys for the same account across different devices or passkey providers. While this improves redundancy and accessibility, some organizations may want to restrict multiple passkey registrations to prevent confusion or enforce security policies.

WebAuthn provides a built-in feature called excludeCredentials, which prevents users from registering multiple passkeys for the same account.

During passkey registration, the server checks if the user already has an existing passkey and blocks additional registrations.

Example:

{
    "challenge": "random-challenge-string",
    "rp": { "name": "Example Corp", "id": "example.com" },
    "user": { "id": "user-id", "name": "user@example.com", "displayName": "User Name" },
    "excludeCredentials": [
        {
            "id": "existing-passkey-id",
            "type": "public-key"
        }
    ],
    "authenticatorSelection": { "residentKey": "preferred" },
    "attestation": "none",
    "pubKeyCredParams": [{ "type": "public-key", "alg": -7 }]
}

• Implement server-side validation to limit each user to a single registered passkey.
• Before allowing a new passkey registration, check the user’s existing credentials in your database.

• Inform users when they attempt to register a new passkey if one already exists.
• Offer users an option to delete or replace their previous passkey.

Subscribe to our Passkeys Substack for the latest news.

Subscribe

Enterprise environments can enforce passkey policies through an admin panel where IT teams can limit passkey creation.

Instead of blocking multiple passkeys, educate users on how to manage them properly, ensuring they have a backup passkey in case of device loss.

By using WebAuthn’s `excludeCredentials* parameter, implementing server-side checks and providing user-friendly feedback, organizations can prevent the unnecessary creation of multiple passkeys for a single account while maintaining secure and seamless authentication.

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →