---
url: 'https://www.corbado.com/glossary/authenticatorselection'
title: 'authenticatorSelection'
description: 'Understand authenticatorSelection in WebAuthn, a method to define authenticator requirements, enhancing the security and user experience in WebAuthn.'
lang: 'en'
keywords: 'authenticatorselection'
---

# authenticatorSelection

## What is authenticatorSelection?

In WebAuthn, authenticatorSelection is an important part of the
[PublicKeyCredentialCreationOptions](https://www.corbado.com/glossary/publickeycredentialcreationoptions) object.
This feature enables Relying Parties (RPs) to specify criteria for selecting the
appropriate [authenticators](https://www.corbado.com/glossary/authenticator) during the `create()` operation. Its
importance lies in:

- **Defining Authenticator Requirements:** Dictates the type of
  [authenticators](https://www.corbado.com/glossary/authenticator) that can participate in the registration
  process.
- **Authenticator Attachment:** Determines if the [authenticator](https://www.corbado.com/glossary/authenticator)
  is a platform (e.g. [Face ID](https://www.corbado.com/faq/is-face-id-passkey), Touch ID,
  [Windows Hello](https://www.corbado.com/glossary/windows-hello)) or a cross-platform (roaming)
  [authenticator](https://www.corbado.com/glossary/authenticator).
- **User Verification:** Sets the requirement for
  [user verification](https://www.corbado.com/blog/webauthn-user-verification) (e.g., "preferred", "required," or
  "discouraged").

### Example:

```json
    "authenticatorSelection": {
      "authenticatorAttachment": "platform",
      "residentKey": "required",
      "requireResidentKey": false,
      "userVerification": "required",
    }
```

Continue reading for a breakdown of the possible values and configurations of
**authenticatorSelection**.

## Key Takeaways

> - authenticatorSelection specifies requirements for choosing
>   [authenticators](https://www.corbado.com/glossary/authenticator) in WebAuthn.
> - It includes [authenticator](https://www.corbado.com/glossary/authenticator) attachment modality and
>   [user verification](https://www.corbado.com/blog/webauthn-user-verification) requirements.
> - Enhances security by allowing precise control over the authentication process.

---

authenticatorSelection in WebAuthn is essential for ensuring that the authentication
process aligns with specific security requirements and user experience preferences. It
offers Relying Parties the flexibility to tailor the registration process according to
their security needs.

Here's an overview over the possible values, as specified in the
[WebAuthn specification](https://www.w3.org/TR/webauthn-2/#dictdef-authenticatorselectioncriteria):

### authenticatorAttachment

Possible values:

- **Platform:** The authenticator is attached to the client's platform and is therefore
  not removable.
- **Cross-platform**: The authenticator is not bound to the client's platform and can be
  used on multiple devices.

### residentKey

This value specifies whether the [Relying Party](https://www.corbado.com/glossary/relying-party) wants to create
a
[discoverable credential](https://www.corbado.com/blog/webauthn-resident-key-discoverable-credentials-passkeys).
Possible values are:

- **required:** The authenticator must create a
  [resident key](https://www.corbado.com/blog/webauthn-resident-key-discoverable-credentials-passkeys) and the
  operation should fail if this is not possible.
- **preferred:** The authenticator should try to create a
  [resident key](https://www.corbado.com/blog/webauthn-resident-key-discoverable-credentials-passkeys) and should
  create a
  non-[resident key](https://www.corbado.com/blog/webauthn-resident-key-discoverable-credentials-passkeys) if
  this is not possible.
- **discouraged:** The authenticator must create a non-resident keyand the operation
  should fail if this is not possible.

### requireResidentKey

This value is just used for backwards compatibility with WebAuthn level 1, being set to
"true" if residentKey is set to "required".

### userVerification

This value indicates whether [User Verification](https://www.corbado.com/blog/webauthn-user-verification) is
required for the operation. Possible values are:

- **required:** The operation must verify the user.
- **preferred:** The operations should verify the user, but can proceed without it
  (standard value).
- **discouraged:** The operation should not verify the user.

**Warning:** If set to "preferred" the authenticator may skip the user verification in the
authentication process. Read more about this issue in
[this article](https://web.dev/articles/passkey-form-autofill#fetch_a_challenge_from_the_rp_server).

---

## authenticatorSelection FAQs

### What function does authenticatorSelection serve in WebAuthn?

authenticatorSelection in WebAuthn allows Relying Parties to specify the type of
authenticators that are suitable for their authentication process, including the
requirement for user verification and the type of authenticator.

### How does authenticatorSelection impact the user experience in authentication?

It impacts user experience by determining the type of authenticator used (platform or
roaming) and setting the level of user verification, thereby influencing the ease and
security of the authentication process.

### What are the implications of the authenticatorAttachment setting in authenticatorSelection?

The authenticatorAttachment setting in authenticatorSelection dictates whether a fixed
[platform authenticator](https://www.corbado.com/glossary/platform-authenticator) or a removable
cross-[platform authenticator](https://www.corbado.com/glossary/platform-authenticator) is required, affecting
the physical and functional characteristics of the authentication process.