Learn how the WebAuthn Signal API enables seamless passkey deletion and metadata updates (user.name, user.displayName) on client-side authenticators.
Vincent
Created: July 16, 2024
Updated: April 30, 2025
Our mission is to make the Internet a safer place, and the new login standard passkeys provides a superior solution to achieve that. That's why we want to help you understand passkeys and its characteristics better.
The passkey ecosystem is evolving. To facilitate change the underlying WebAuthn standard evolves fast. New features start often with a technical explainer in GitHub and then evolve into a pull request into the standard when they have been discussed sufficiently. Recently, this pull request was added into the standard draft as the WebAuthn Signal API. In this article, we will cover:
At time of updating this blog post on January 2025, the WebAuthn Signal API is enabled by default since Chrome 132 and was formerly known as the Reporting API before being renamed to avoid conflicts with another API of the same name.
Recent Articles
The WebAuthn Signal API addresses specific use cases related to the management of passkeys on the client-side. Specifically, it helps keeping information in sync between the relying party (RP) and the authenticators which are part of the client-side operating systems. The following important use cases exist:
When a passkey is created, it includes several pieces of information: user.id
,
user.name
, and user.displayName
. The passkey itself is identified via the unique
Credential ID.
user.id
is crucial because it is used for the actual matching of the passkey to the
user's account.The following illustration shows a typical, simple database structure that explains which information would usually be stored within which field:
It's important to understand that while user.name
(often an email address) and
user.displayName
(a more friendly, readable name) help the user identify their account
in the selection UI, the real association between a passkey and an account is maintained
through the user.id
and the Credential ID:
user.id
One issue arises when the user.name
, which can be an email address, changes. Currently,
there is no mechanism to update this change on the client-side
authenticator directly. The user.name
can change for various
reasons, such as when a user updates their email address. Despite this change in the
account's meta-data on the server side, the old user.name
will continue to appear in the
credential selection UI, which can cause confusion for users.
The workaround for this issue is to create a new passkey with the updated user.name
and
the same user.id
, and then overwrite the existing passkey. However, this approach is
inconvenient for several reasons:
user.id
can have only one passkey per
relying party ID, meaning the old passkey must be replaced
with a new one, which is an extra step.Email addresses, phone numbers and other identifiers can change regularly. Without a
straightforward method to update user.name
and user.displayName
directly on the
authenticator, users may encounter a persistent issue where they see and have to select a
passkey associated with their old email address. This situation undermines the seamless
experience that passkeys aim to provide. The WebAuthn Signal API aims to solve this
problem by allowing relying parties to report updates to the meta-data of passkeys without
requiring the creation of new ones. Before we explain how to implement the Signal API we
will explore the second important use case that it addresses.
Another crucial use case is the deletion of passkeys on the client-side authenticator. Over time, users may revoke credentials via the passkey management list or delete their accounts, and it becomes necessary to ensure that these credentials are removed from the client-side authenticator to prevent them from appearing in future credential selection UIs (Conditional UI / passkey autofill).
The need for this functionality arises in several scenarios:
From user perspective, it is difficult to understand that a deletion in their account setting, in a dialogue like the above, does not lead to the passkey being removed on this client.
2. Account Deletion: When a user deletes their account, all associated passkeys should also be removed. 3. Security Policies: Relying parties may have security policies that require the revocation of credentials after periods of inactivity or due to detected security issues.
Without a direct method to delete passkeys on the client-side, these outdated or invalid credentials continue to clutter the selection UI, leading to confusion. Users might see and attempt to use passkeys that are no longer valid, resulting in failed authentication attempts and a poor user experience.
Implementing the WebAuthn Signal API involves several steps and considerations to ensure that the functionality is integrated correctly and securely. The Signal API allows relying parties (RPs) to update or delete passkey credentials on the client-side authenticator. This section outlines the key considerations and steps for implementation.
When implementing the WebAuthn Signal API, it is crucial to keep the following considerations in mind:
Privacy Preserving: The WebAuthn Signal API is designed to preserve user privacy as it is one of the foundations of WebAuthn. This means that there is no feedback provided to the RP about whether the requested change was processed. The API operates silently to prevent any potential leakage of information about the state of credentials.
Authenticator Availability: The effectiveness of the WebAuthn Signal API depends on the availability of the authenticator. This includes both physical availability (e.g., the presence of a security key) and software support ( e.g., browser and operating system compatibility). The browser can only perform actions if the authenticator is accessible and supports the necessary operations without needing biometric authentication.
Domain Restrictions: The API ensures that only the relying party associated with a specific domain can request changes to credentials related to that domain. This is a security measure to prevent unauthorized modifications by third parties.
Credential ID as Key: When referencing passkeys, the Credential ID is the primary key used by the WebAuthn Signal API. This ID uniquely identifies the passkey on the client-side authenticator. The API allows RPs to change meta-data associated with passkeys or signal that certain passkeys should no longer be accessed, but only through the Credential ID. In case an authenticator does not know a specific Credential ID, it will silently ignore it.
These considerations are essential for understanding the most important aspects of the WebAuthn Signal API functions correctly.
The WebAuthn Signal API provides a streamlined mechanism for relying parties (RPs) to update the metadata associated with passkeys on client-side authenticators. This is especially important for ensuring that users see accurate and up-to-date information in the credential selection UI without having to create new passkeys unnecessarily. Here's how the API allows this to happen:
Updating Metadata with signalCurrentUserDetails(options)
The signalCurrentUserDetails(options)
method in the Signal API is specifically designed
for updating metadata of passkeys. This method allows RPs to provide the current values
for user.name
and user.displayName
.
Here’s how the process works (see also the WebAuthn Level 3 standard).
signalCurrentUserDetails(options)
method includes the
rp.id
, user.id
and the updated values for user.name
and user.displayName
.PublicKeyCredential.signalCurrentUserDetails({ rpId: "example.com", userId: "aabbcc", // user handle, base64url. name: "New user name", displayName: "New display name", });
Updating the Local Metadata: Look for locally (on the authenticator) available
credentials that match the rpId
and userId
. For all matching credentials, the
authenticator will update the credential's name
and displayName
.
Privacy Preserving: The process is designed to be privacy-preserving. The Signal API does not provide feedback to the RP about whether the updates were successfully processed, preventing any leakage of information about the state of the credentials.
Consistency Across Devices: By regularly running the
signalCurrentUserDetails(options)
methods, RPs can ensure that the metadata for
passkeys remains consistent across different devices and platforms where the user may
authenticate. This approach reduces the chances of outdated or incorrect information
being displayed in the credential selection UI.
In the above screenshot, you can see how Google Chrome signals such an update to the user. WebAuthn Signal API is part of Chrome 130 and can be tested with Google Password Manager on desktop if the experimental web features flag is activated.
The WebAuthn Signal API provides mechanisms for relying parties (RPs) to signal the
deletion of passkeys from client-side authenticators. This is
essential for ensuring that outdated or invalid credentials do not appear in the
credential selection UI, thus maintaining a streamlined and secure user experience. There
are two methods to delete the passkeys locally: signalUnknownCredential(options)
and
signalAllAcceptedCredentials)(options)
. The former can be used in situations where the
user is not authenticated, while the latter can be used when the user is authenticated.
Therefore, the latter one should be preferred for privacy reasons.
Here's how the two methods work:
signalUnknownCredential(options)
method includes the rpId
(relying party ID) and the credentialId
(the unique identifier of the credential to
be deleted).PublicKeyCredential.signalUnknownCredential({ rpId: "example.com", credentialId: "aabbcc", // credential id the user just tried, base64url });
Calling the Method: RPs call this method whenever they detect that a credential should be deleted. This could be immediately following an authentication attempt with an invalid credential, during account deletion, or when a user revokes a credential through account settings.
Handling the Method: When the signalUnknownCredential(options)
method is called,
the client-side authenticator tries to find credentials that match rpId
and
credentialID
specified credential for omission. Depending on the
authenticator's capabilities, the credential is removed or
an authenticator-specific procedure to hide the credential in future authentication
ceremonies is employed.
signalAllAcceptedCredentials(options)
method includes the
rpId
(relying party ID), userId
and a list of valid Credential Ids
allAcceptedCredentialIds
(list of unique identifiers of credentials that should be
kept).PublicKeyCredential.signalAllAcceptedCredentials({ rpId: "example.com", userId: "aabbcc", // user handle, base64url. allAcceptedCredentialIds: ["bb"], });
Calling the Method: RPs call this method whenever they detect that a credential
should be deleted and signal a list of valid credentials. This method should be
preferred over signalUnknownCredential(options)
to delete credentials.
Handling the Method: When the signalAllAcceptedCredentials(options)
method is
called, the client-side authenticator matches the rpId
and userId
. The
authenticator that looks up all local credentials that match rpId
and userId
. The
result is compared to allAcceptedCredentialIds
. If there are local credentials that
are not in allAcceptedCredentialIds
, then these credentials are removed locally (or
hidden depending on the authenticator).
Unhide Credentials: If a credentials have been hidden only (depending on the
authenticator) and are now part of allAcceptedCredentialIds
, then these credentials
will be present in future authentication ceremonies again.
Useful Tips:
signalAllAcceptedCredentials(options)
it's important to note that
authenticators may not always be connected at the time this method is executed. As a
result, relying parties might consider running
signalAllAcceptedCredentials(options)
periodically, such as during every sign-in,
to ensure that all credentials are up-to-date.allAcceptedCredentialIds
). Credentials that are not included in this list may be
hidden or removed by the authenticator, potentially irreversibly. To prevent valid
credentials from being mistakenly omitted, it is crucial to ensure that the list is
complete. If a valid credential ID is accidentally left out, it should be re-added
to signalAllAcceptedCredentials(options)
as soon as possible to make it visible
again, assuming the authenticator supports this. In the above
screenshot, you can see how Google Chrome signals deletes. WebAuthn Signal API is part of
Chrome 132 and can be tested with Google Password Manager on desktop.
To effectively implement the WebAuthn Signal API and ensure seamless synchronization of passkey metadata across client-side authenticators, consider the following recommendations:
signalAllAcceptedCredentials(options)
approach after every successful
login: This approach ensures that all metadata and credential IDs are updated in a
single method, simplifying the process and maintaining consistency across devices and
platforms and at the same time deactivates deleted or stale credentials.signalUnknownCredential(options)
for large-scale
deployments: Consider using real-time messaging with the
signalUnknownCredential(options)
method in
large-scale deployments or when there
is a need for immediate updates. This method can enhance the efficiency and accuracy of
credential management, ensuring that invalid or outdated credentials are promptly
removed from the selection UI.By following these recommendations, you can implement the WebAuthn Signal API effectively once it is supporting, ensuring that passkey metadata remains up-to-date and consistent across all client-side authenticators, thereby providing a smooth and secure user experience for passkeys.
The WebAuthn standard is continually evolving, becoming more feature-rich on a monthly basis. The introduction of the WebAuthn Signal API is a significant step forward in managing passkey meta-data and deletions on client-side authenticators. This API addresses the crucial use cases of keeping information in sync between relying parties (RPs) and authenticators, and ensuring that invalid or outdated passkeys are removed, thereby improving the user experience.
user.name
and user.displayName
information, which can cause confusion
when credentials are presented in the selection UI. Additionally, it helps in
maintaining a clean and secure credential selection interface by removing revoked or
deleted passkeys.As the WebAuthn standard evolves, it benefits from the diverse interests of its participants, who push different parts of the standard forward. Keeping an eye on these developments is crucial for staying up-to-date with the latest enhancements and ensuring that implementations remain aligned with the latest best practices and standards. The WebAuthn community continues to drive innovation, making authentication more secure and user-friendly.
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
Related Articles
Table of Contents