How to prevent creation of multiple passkeys for 1 account?

Q: How to prevent creation of multiple passkeys for 1 account?

To prevent users from creating multiple passkeys for one account, use WebAuthn’s `excludeCredentials` parameter during registration. Additionally, implement server-side checks, provide UI feedback on existing passkeys, and offer admin controls to enforce passkey policies. Educating users on proper passkey management also helps maintain security and usability.

Vincent

Created: February 3, 2025

Updated: May 1, 2025

Read the full article

Learn about first-party / third-party passkey providers vs. passkey authentication providers & AAGUID in managing passkeys for Android, iOS and Web.

Read the full article

Read by 5,000+ security leaders.

How to Prevent Creation of Multiple Passkeys for One Account?#

In WebAuthn-based authentication, it is possible for users to create multiple passkeys for the same account across different devices or passkey providers. While this improves redundancy and accessibility, some organizations may want to restrict multiple passkey registrations to prevent confusion or enforce security policies.

Ways to Prevent Multiple Passkeys for One Account#

1. Use the `excludeCredentials` Parameter#

WebAuthn provides a built-in feature called excludeCredentials, which prevents users from registering multiple passkeys for the same account.

During passkey registration, the server checks if the user already has an existing passkey and blocks additional registrations.

Example:

{
    "challenge": "random-challenge-string",
    "rp": { "name": "Example Corp", "id": "example.com" },
    "user": { "id": "user-id", "name": "user@example.com", "displayName": "User Name" },
    "excludeCredentials": [
        {
            "id": "existing-passkey-id",
            "type": "public-key"
        }
    ],
    "authenticatorSelection": { "residentKey": "preferred" },
    "attestation": "none",
    "pubKeyCredParams": [{ "type": "public-key", "alg": -7 }]
}

2. Restrict Passkey Registration Per User#

Implement server-side validation to limit each user to a single registered passkey.
Before allowing a new passkey registration, check the user’s existing credentials in your database.

3. Provide UI Feedback on Existing Passkeys#

Inform users when they attempt to register a new passkey if one already exists.
Offer users an option to delete or replace their previous passkey.

Subscribe to our Passkeys Substack for the latest news.

4. Implement Admin Controls for Passkey Management#

Enterprise environments can enforce passkey policies through an admin panel where IT teams can limit passkey creation.

5. Educate Users on Passkey Best Practices#

Instead of blocking multiple passkeys, educate users on how to manage them properly, ensuring they have a backup passkey in case of device loss.

Conclusion#

By using WebAuthn’s `excludeCredentials* parameter, implementing server-side checks and providing user-friendly feedback, organizations can prevent the unnecessary creation of multiple passkeys for a single account while maintaining secure and seamless authentication.