---
url: 'https://www.corbado.com/blog/webauthn-server-options-overview'
title: 'WebAuthn Server Options: Overview of Early Adopters'
description: 'Explore the WebAuthn server options overview of early adopters to see configurations for passkey / WebAuthn creation and authentication ceremonies.'
lang: 'en'
author: 'Vincent'
date: '2024-07-09T14:29:58.769Z'
lastModified: '2026-03-25T10:00:35.846Z'
keywords: 'webauthn server example, webauthn server options, server webauthn fido2, webauthn server request, webauthn server registration, webauthn server response, webauthn server side, fido2 server configuration, fido2 server key settings, fido2 server key test'
category: 'WebAuthn Know-How'
---
# WebAuthn Server Options: Overview of Early Adopters
## Key Facts
- **PublicKeyCredentialCreationOptions** and **PublicKeyCredentialRequestOptions** are the
two core WebAuthn server option types: the first governs credential creation, the second
controls authentication assertion generation.
- Nearly all surveyed companies include **ES256** (alg: -7) and **RS256** (alg: -257) as
base algorithms; Binance and eBay extend their pubKeyCredParams lists to 10-12 entries
for broader authenticator compatibility.
- **residentKey** configuration varies widely: Google, Amazon and Stripe set 'required'
while Binance, eBay and Finom use 'discouraged', forgoing discoverable credential
storage entirely.
- **attestation: direct** is recommended to capture authenticator AAGUIDs for UX
improvements; companies like GitHub, KAYAK and Shopify opt for 'none' instead.
- None of the surveyed implementations sets a **timeout** value in their WebAuthn options,
leaving timeout behavior to browser defaults across all platforms analyzed.
## 1. Introduction: WebAuthn Server Options
More and more organizations recognize the benefits of passkeys, so the implementation of
WebAuthn servers has become a critical component of their authentication strategies.
This article explores the WebAuthn server options, particularly focusing on
[PublicKeyCredentialCreationOptions](https://www.corbado.com/glossary/publickeycredentialcreationoptions) and
[PublicKeyCredentialRequestOptions](https://www.corbado.com/glossary/publickeycredentialrequestoptions). By
understanding how large tech companies like Google, [Binance](https://www.corbado.com/blog/binance-passkeys) or
[Revolut](https://www.corbado.com/blog/revolut-passkeys) have implemented WebAuthn server, developers and product
managers can better learn from these best practices for their own passkey integrations.
## 2. Understanding WebAuthn Server Options
To effectively implement passkeys, it’s essential to grasp the core WebAuthn server
options:
- **PublicKeyCredentialCreationOptions**: These options are crucial for credential
creation during the setup of passkeys (read more).
- **PublicKeyCredentialRequestOptions**: These options come into play during the
authentication process, defining the parameters for [assertion](https://www.corbado.com/glossary/assertion)
generation (read more).
## 3. Overview of Public Key Credential Creation Options
In the following table, you find an overview of best practices of large tech companies on
how they have defined their
[PublicKeyCredentialCreationOptions](https://www.corbado.com/glossary/publickeycredentialcreationoptions).
| | **rp** | **user** | **challenge** | **pubKeyCredParams** | **timeout** | **excludeCredentials** | **authenticatorSelection** | **attestation** | **extensions** |
| ----------- | --------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | ----------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | --------------- | ---------------------------------------------------------------------------------------------------------------------------- |
| KAYAK | id: [www.kayak.den](http://www.kayak.den)
name: KAYAK | displayName: [user@corbado.com](mailto:user@corbado.com)
id: UjRD...NTOD0
name: [user@corbado.com](mailto:user@corbado.com) | ✔️ | alg: -7, type: public-key
alg: -257, type: public-key | n/a | n/a | residentKey: required
userVerification: preferred | none | n/a |
| eBay | id: ebay.de
name: ebay.de | displayName: [user@corbado.com](mailto:user@corbado.com)
id: dm9y...NxY2U
name: [user@corbado.com](mailto:user@corbado.com) | ✔️ | alg: -7, type: public-key
alg: -35, type: public-key alg: -36, type: public-key
alg: -257, type: public-key
alg: -258, type: public-key alg: -259, type: public-key
alg: -37, type: public-key
alg: -38, type: public-key
alg: -39, type: public-key
alg: -1, type: public-key | n/a | n/a | residentKey: discouraged
userVerification: required | direct | n/a |
| Shopify | id: accounts.shopify.com
name: Shopify | displayName: [user@corbado.com](mailto:user@corbado.com)
id: Mzc3...jYzcw
name: [user@corbado.com](mailto:user@corbado.com) | ✔️ | alg: -7, type: public-key
alg: -37, type: public-key
alg: -257, type: public-key | n/a | n/a | residentKey: required
userVerification: preferred | none | n/a |
| GitHub | id: github.com
name: GitHub | displayName: user
id: ooqg...OWeyA
name: user | ✔️ | alg: -7, type: public-key
alg: -257, type: public-key | n/a | id: ✔️
transports: internal
type: public-key | residentKey: required
userVerification:
preferred | none | appIdExclude: [https://github.com/u2f/trusted_facets](https://github.com/u2f/trusted_facets)
credProps: true |
| Adobe | id: adobe.com
name: adobe.com | displayName: [user@corbado.com](mailto:user@corbado.com)
id: amFu...LmRl
name:[user@corbado.com](mailto:user@corbado.com) | ✔️ | alg: -7, type: public-key
alg: -35, type: public-key
alg: -36, type: public-key
alg: -257, type: public-key | n/a | n/a | residentKey: preferred
userVerification: preferred | direct | credProps: true |
| Google | id: google.com
name: Google | displayName: [user@corbado.com](mailto:user@corbado.com)
id: R09P...3Mjc2
name: [user@corbado.com](mailto:user@corbado.com) | ✔️ | alg: -7, type: public-key
alg: -257, type: public-key | n/a | id: ✔️
transports: usb, nfc, ble, hybrid, internal
type: public-key | authenticatorAttachment: platform
residentKey: preferred
userVerification: preferred | direct | appIdExclude: [https://www.gstatic.com/securitykey/origins.json](https://www.gstatic.com/securitykey/origins.json) |
| Vercel | id: vercel.com
name: Vercel | displayName: user-corbadocom
id: MVVv...Q293
name: user-corbadocom | ✔️ | alg: -7, type: public-key
alg: -257, type: public-key | n/a | n/a | residentKey: required
userVerification: preferred | none | credProps: true |
| Amazon | id: amazon.com
name: Amazon | displayName: user
id: OTI5...M2OA
name: [user@corbado.com](mailto:user@corbado.com) | ✔️ | alg: -7, type: public-key | n/a | n/a | residentKey: required
userVerification: preferred | direct | n/a |
| Binance | id: binance.com
name: Binance | displayName: Chrome V125.0.0.0 (Mac OS)
id: OTA2...ODIz
name: [user@corbado.com](mailto:user@corbado.com) | ✔️ | alg: -65535, type: public-key
alg: -257, type: public-key
alg: -258, type: public-key
alg: -259, type: public-key
alg: -37, type: public-key
alg: -38, type: public-key
alg: -39, type: public-key
alg: -7, type: public-key
alg: -35, type: public-key
alg: -36, type: public-key
alg: -8, type: public-key
alg: -43, type: public-key | n/a | n/a | residentKey: discouraged
userVerification: preferred | direct | credProps: true |
| Best Buy | id: bestbuy.com
name: Best Buy | displayName: user
id: MTE4...NDA1
name: [user@corbado.com](mailto:user@corbado.com) | ✔️ | alg: -7, type: public-key
alg: -257, type: public-key | n/a | n/a | authenticatorAttachment: platform
residentKey: required
userVerification: required | none | n/a |
| Coinbase | id: coinbase.com
name: Coinbase | displayName: user
id: MDVm...ZDg4
name: [user@corbado.com](mailto:user@corbado.com) | ✔️ | alg: -7, type: public-key
alg: -257, type: public-key
alg: -65535, type: public-key | n/a | n/a | residentKey: preferred
userVerification: preferred | direct | credProps: true |
| Finom | id: app.finom.co
name: app.finom.co | displayName: user
id: amFu...LmRl
name: [user@corbado.com](mailto:user@corbado.com) | ✔️ | alg: -7, type: public-key
alg: -257, type: public-key
alg: -37, type: public-key
alg: -35, type: public-key
alg: -258, type: public-key
alg: -38, type: public-key
alg: -36, type: public-key
alg: -259, type: public-key
alg: -39, type: public-key
alg: -8, type: public-key | n/a | n/a | residentKey: discouraged
userVerification: required | direct | n/a |
| Microsoft | id: login.microsoft.com
name: Microsoft | displayName: user
id: TUY6...k61Y
name: [user@corbado.com](mailto:user@corbado.com) | ✔️ | alg: -7, type: public-key
alg: -257, type: public-key | n/a | n/a | residentKey: required
userVerification: required | direct | credentialProtectionPolicy: userVerificationOptional
enforceCredentialProtectionPolicy: false
hmacCreateSecret: true |
| Nintendo | id: accounts.nintendo.com
name: Nintendo Account | displayName: user
id: OTE4...ExNg
name: [user@corbado.com](mailto:user@corbado.com) | ✔️ | alg: -7, type: public-key
alg: -35, type: public-key
alg: -36, type: public-key
alg: -8, type: public-key | n/a | n/a | authenticatorAttachment: platform
residentKey: required
userVerification: required | none | n/a |
| PlayStation | id: my.account.sony.com
name: Sony | displayName: [user@corbado.com](mailto:user@corbado.com)
id: dUZM...omeM
name: [user@corbado.com](mailto:user@corbado.com) | ✔️ | alg: -7, type: public-key
alg: -37, type: public-key
alg: -257, type: public-key | n/a | n/a | residentKey: preferred
userVerification: preferred | none | n/a |
| Stripe | id: stripe.com
name: Stripe Dashboard | displayName: [user@corbado.com](mailto:user@corbado.com)
id: dXNy...VGVm
name: [user@corbado.com](mailto:user@corbado.com) | ✔️ | alg: -7, type: public-key
alg: -37, type: public-key
alg: -257, type: public-key | n/a | n/a | residentKey: required
userVerification: required | none | n/a |
| Uber | id: uber.com
name: Uber Inc. | displayName: 0176 xxxxxxxx
id: 02c2...b4af
name: 0176 xxxxxxxx | ✔️ | alg: -7, type: public-key
alg: -35, type: public-key
alg: -36, type: public-key
alg: -257, type: public-key
alg: -258, type: public-key
alg: -259, type: public-key
alg: -37, type: public-key
alg: -38, type: public-key
alg: -39, type: public-key
alg: -8, type: public-key | n/a | n/a | authenticatorAttachment: platform
residentKey: preferred
userVerification: required | none | n/a |
## 4. Overview of Public Key Credential Request Options
In the following table, you find an overview of best practices of large tech companies on
how they have defined their
[PublicKeyCredentialRequestOptions](https://www.corbado.com/glossary/publickeycredentialrequestoptions). These
option choices strongly influence how client-side failures surface (especially timeout and
credential availability behavior), so compare them with a production-oriented WebAuthn
error map during rollout.
| | **challenge** | **timeout** | **rpId** | **allowCredentials** | **userVerification** | **extensions** |
| ----------- | ------------- | ----------- | --------------------- | ---------------------------------------------------------------------------------------------------- | -------------------- | --------------------- |
| PayPal | ✔ | n/a | paypal.com | id:
transports: usb, nfc, ble, hybrid, internal
type: public-key | required | n/a |
| KAYAK | ✔ | n/a | kayak.de | id:
transports: usb, nfc, ble, hybrid, internal
type: public-key | preferred | n/a |
| eBay | ✔ | n/a | ebay.de | n/a | required | n/a |
| Shopify | ✔ | n/a | accounts.shopify.com | n/a | preferred | n/a |
| GitHub | ✔ | n/a | github.com | n/a | required | n/a |
| Adobe | ✔ | n/a | adobe.com | n/a | preferred | n/a |
| Google | ✔ | n/a | google.com | id:
transports: hybrid, internal
type: public-key | preferred | n/a |
| Vercel | ✔ | n/a | vercel.com | n/a | preferred | n/a |
| Amazon | ✔ | n/a | amazon.com | id:
transports: hybrid, internal
type: public-key | preferred | n/a |
| Binance | ✔ | n/a | binance.com | id: 50tFgDvoiCy4HsjkiwsEmykmsxE
transports: hybrid, internal
type: public-key | preferred | n/a |
| Apple | ✔ | n/a | apple.com | id: QVbUFRZmiAZxElbC0CKP7zL_RGE
transports: hybrid, internal
type: public-key | preferred | largeBlob: read: true |
| Best Buy | ✔ | n/a | bestbuy.com | n/a | required | n/a |
| Coinbase | ✔ | n/a | coinbase.com | n/a | preferred | n/a |
| Finom | ✔ | n/a | app.finom.co | id: QOzxfW9xaL3Ozg4u3WBv9wjdW8s
transports: usb, nfc, ble, hybrid, internal
type: public-key | required | n/a |
| Microsoft | ✔ | n/a | login.microsoft.com | n/a | required | n/a |
| Nintendo | ✔ | n/a | accounts.nintendo.com | n/a | required | n/a |
| PlayStation | ✔ | n/a | my.account.sony.com | n/a | required | n/a |
| Stripe | ✔ | n/a | stripe.com | n/a | required | n/a |
| Uber | ✔ | n/a | uber.com | n/a | required | n/a |
## 5. Recommendations for Implementing WebAuthn Server Options
For those looking to implement WebAuthn servers and use passkeys in the most user-friendly
and secure way, we recommend the following WebAuthn server configurations:
**PublicKeyCredentialCreationOptions**
- **Relying Party**
- **Reying Party ID:** Use your root domain in order to be able to make the passkey
reusable in potential future sub-domains as well (read mode).
- **Relying Party Name:** Use the name your product / service is known to your users.
- **User**
- **User Display Name:** Firstname + Lastname (read more)
- **User ID:** Use your internal [user ID](https://www.corbado.com/blog/webauthn-user-id-userhandle) (read
more)
- **User Name:** Use the nam how you want to address your users (read more)
- **pubKeyCredParams:** Use at least the following two algorithms (read more)
- **ES256** (alg: -7, type: public-key)
- **RS256** (alg: -257, type: public-key)
- **authenticatorSelection (read more):**
- **residentKey:** required (read more)
- **userVerification:** required – Make sure you understand the Flags & check UV flag
in case you rely on it (read more)
- **attestation:** direct - so that you can get the [AAGUID](https://www.corbado.com/glossary/aaguid) of uses
[authenticators](https://www.corbado.com/glossary/authenticator) and improve the UX (read more)
- **Extension:** none
**PublicKeyCredentialRequestOptions**
- **userVerification:** required
## 6. Conclusion
In summary, leading tech companies like Google, Microsoft, [eBay](https://www.corbado.com/blog/ebay-passkeys),
and GitHub have successfully implemented passkeys. Make use of common patterns regarding
the WebAuthn server options to ensure highest security and UX standards. This can
significantly optimize your passkey implementation.
## Frequently Asked Questions
### How do major tech companies configure userVerification in their WebAuthn authentication requests?
Implementations split between 'required' and 'preferred'. High-security platforms
including PayPal, GitHub, Microsoft, Nintendo, Stripe and Uber set userVerification to
'required' in their PublicKeyCredentialRequestOptions, while Google, Amazon, Shopify and
Vercel use 'preferred'. The recommended best practice is 'required' for both creation and
authentication flows.
### How should I set the Relying Party ID in my WebAuthn server configuration?
Set the rpId to your root domain rather than a subdomain so that credentials remain
reusable across current and future subdomains. Finom uses 'app.finom.co' and Microsoft
uses 'login.microsoft.com' as their rpIds, both subdomains rather than root domains. Using
the root domain is the recommended configuration for maximum flexibility.
### What does setting residentKey to 'discouraged' mean for passkey-style login flows?
Setting residentKey to 'discouraged' means the server does not require credentials to be
stored as discoverable credentials on the authenticator, which limits usernameless login
flows. Companies like Binance, eBay and Finom use this setting, accepting the trade-off in
usability. The recommended configuration is residentKey: required to fully enable
discoverable credential authentication.
### Which company uses the largeBlob extension in WebAuthn request options, and what does it do?
Apple is the only platform in this survey to use the largeBlob extension in its
PublicKeyCredentialRequestOptions, setting it to 'read: true'. This extension allows
reading large data blobs stored alongside credentials on the authenticator. No other major
platform surveyed enables this extension in their WebAuthn request options.