What is excludeCredentials in WebAuthn?
Explore excludeCredentials, a crucial element in WebAuthn to prevent multiple credential registrations on the same account and authenticator.
What are excludeCredentials in WebAuthn?#
excludeCredentials is an essential attribute of WebAuthn's PublicKeyCredentialCreationOptions object. This option is used by Relying Parties (RPs) to prevent the creation of multiple credentials for the same account on a single authenticator. It functions by listing credentials that are already registered and should not be re-created.
The key elements of excludeCredentials include:
- Limiting Credential Registration: Prevents redundant credential registration on the same authenticator.
- Credential Enumeration: A sequence of PublicKeyCredentialDescriptor objects representing credentials that are already registered.
- Enhancing Security and User Experience: Avoids confusion and security risks associated with multiple registrations of the same account on a single device.
Key Takeaways#
- excludeCredentials is used to prevent the re-registration of existing credentials on an authenticator.
- It lists already registered credentials to guide the authentication process.
- Helps in maintaining streamlined and secure user authentication.
excludeCredentials plays a pivotal role in maintaining the integrity of the registration process in WebAuthn. By specifying credentials that should not be recreated, it not only enhances security but also improves the user experience by preventing unnecessary credential duplications.
Detailed Insights#
- Usage in Authentication Flow: During the registration process, excludeCredentials informs the authenticator about existing credentials, directing it to avoid re-creating these credentials.
- Privacy Considerations: Helps in protecting user privacy by not leaking information about the availability of certain credentials.
Since excludeCredentials is part of the PublicKeyCredentialCreationOptions object, you can read more about it in its article.
Subscribe to our Passkeys Substack for the latest news.
excludeCredentials FAQs#
What is the role of excludeCredentials in WebAuthn?#
excludeCredentials in WebAuthn is used to limit the creation of duplicate credentials for the same account on a single authenticator.
How does excludeCredentials enhance user security in WebAuthn?#
It prevents the registration of multiple credentials for the same account on one device, reducing confusion and potential security risks.
Igor Gjorgjioski
Head of Digital Channels & Platform Enablement, VicRoads
We hit 80% mobile passkey activation across 5M+ users without replacing our IDP.
See how VicRoads scaled passkeys to 5M+ users — alongside their existing IDP.
Read the case studyWhat are the privacy implications of using excludeCredentials?#
Proper implementation of excludeCredentials can prevent information leaks that could allow identification of specific user credentials.
About Corbado
Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →
Share this article
Table of Contents
Related Terms
Related Articles
