Vincent
Created: February 3, 2025
Updated: May 1, 2025
Learn about first-party / third-party passkey providers vs. passkey authentication providers & AAGUID in managing passkeys for Android, iOS and Web.
Read the full articleRead by 5,000+ security leaders.
In WebAuthn-based authentication, it is possible for users to create multiple passkeys for the same account across different devices or passkey providers. While this improves redundancy and accessibility, some organizations may want to restrict multiple passkey registrations to prevent confusion or enforce security policies.
excludeCredentials
Parameter#WebAuthn provides a built-in feature called excludeCredentials
, which prevents users
from registering multiple passkeys for the same account.
During passkey registration, the server checks if the user already has an existing passkey and blocks additional registrations.
Example:
{ "challenge": "random-challenge-string", "rp": { "name": "Example Corp", "id": "example.com" }, "user": { "id": "user-id", "name": "user@example.com", "displayName": "User Name" }, "excludeCredentials": [ { "id": "existing-passkey-id", "type": "public-key" } ], "authenticatorSelection": { "residentKey": "preferred" }, "attestation": "none", "pubKeyCredParams": [{ "type": "public-key", "alg": -7 }] }
Enterprise environments can enforce passkey policies through an admin panel where IT teams can limit passkey creation.
Instead of blocking multiple passkeys, educate users on how to manage them properly, ensuring they have a backup passkey in case of device loss.
By using WebAuthn’s `excludeCredentials* parameter, implementing server-side checks and providing user-friendly feedback, organizations can prevent the unnecessary creation of multiple passkeys for a single account while maintaining secure and seamless authentication.
Learn about first-party / third-party passkey providers vs. passkey authentication providers & AAGUID in managing passkeys for Android, iOS and Web.
Read the full articleRead by 5,000+ security leaders.
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.