---
url: 'https://www.corbado.com/faq/prevent-multiple-passkeys-for-one-account'
title: 'How to prevent creation of multiple passkeys for 1 account?'
description: 'Learn how to prevent users from creating multiple passkeys for a single account and ensure secure authentication management.
'
lang: 'en'
keywords: 'prevent multiple passkeys, passkey duplication'
---

# How to prevent creation of multiple passkeys for 1 account?

## How to Prevent Creation of Multiple Passkeys for One Account?

In **WebAuthn-based authentication**, it is possible for users to create **multiple
passkeys** for the same account across different devices or
[passkey providers](https://www.corbado.com/blog/passkey-providers). While this improves redundancy and
accessibility, **some organizations may want to restrict multiple passkey registrations**
to prevent confusion or enforce security policies.

## Ways to Prevent Multiple Passkeys for One Account

### 1. Use the `excludeCredentials` Parameter

WebAuthn provides a built-in feature called **`excludeCredentials`**, which prevents users
from registering multiple passkeys for the same account.

During passkey registration, the server checks if the user already has an existing passkey
and blocks additional registrations.

**Example:**

```json
{
    "challenge": "random-challenge-string",
    "rp": { "name": "Example Corp", "id": "example.com" },
    "user": { "id": "user-id", "name": "user@example.com", "displayName": "User Name" },
    "excludeCredentials": [
        {
            "id": "existing-passkey-id",
            "type": "public-key"
        }
    ],
    "authenticatorSelection": { "residentKey": "preferred" },
    "attestation": "none",
    "pubKeyCredParams": [{ "type": "public-key", "alg": -7 }]
}
```

### 2. Restrict Passkey Registration Per User

- Implement server-side validation to limit each user to a single registered passkey.
- Before allowing a new passkey registration, check the user’s existing credentials in
  your database.

### 3. Provide UI Feedback on Existing Passkeys

- Inform users when they attempt to register a new passkey if one already exists.
- Offer users an option to delete or replace their previous passkey.

### 4. Implement Admin Controls for Passkey Management

Enterprise environments can enforce passkey policies through an admin panel where IT teams
can limit [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices).

### 5. Educate Users on Passkey Best Practices

Instead of blocking multiple passkeys, educate users on how to manage them properly,
ensuring they have a backup passkey in case of device loss.

## Conclusion

By using WebAuthn’s \`[excludeCredentials](https://www.corbado.com/glossary/excludecredentials)\* parameter,
implementing server-side checks and providing user-friendly feedback, organizations can
prevent the unnecessary creation of multiple passkeys for a single account while
maintaining secure and seamless authentication.

## Read the full article