What are PublicKeyCredentialRequestOptions in WebAuthn?

PublicKeyCredentialRequestOptions is an important object in the WebAuthn standard, used during the login with a credential. They are essential for the navigator.credential.get() function, providing the necessary data to generate an authentication assertion.

{
    "publicKeyCredentialRequestOptions": {
        "challenge": "pT7HMA-…dFPHk",
        "timeout": 500,
        "rpId": "passkeys.eu",
        "userVerification": "preferred",
        "allowCredentials": [],
        "extensions": []
    }
}

Continue reading for a full breakdown of the components and workings of PublicKeyCredentialRequestOptions.

As shown in the flowchart for the login process, passing publicKeyCredentialRequestOptions to the Frontend is the first step by the Backend during authentication.‍ A crucial part is the cryptographic challenge that is later signed by the authenticator.

Here's a quick explanation of all attributes, as specified in the WebAuthn specification.

    "challenge": "pT7HMA-…dFPHk",

• The cryptographic challenge is a randomly generated base64URL encoded BufferSource that needs to be signed by the authenticator.

    "timeout": 500,

• timeout is an optional value for the time (in milliseconds) the client should wait for the call to complete

    "rpId": "passkeys.eu"

• rpId is the identifier of the Relying Party for the assertion request, usually its domain. Read more in this blog.

    "userVerification": "preferred",

• userVerification is an optional value to specify requirements for user verification during the operation. Possible values are “preferred” (default), “required” or “discouraged”.

    "allowCredentials": [],

• allowCredentials is an optional list of credentials that are allowed for authentication, indicating the caller’s preference by descending order. This list would be filled with PublicKeyCredentialDescriptors, as you can see in this article.

    "extensions": []

• extensions contains optional request(s) for additional processing, such as specific return values. e.g.
  • credProbs requests information on whether the created credential is discoverable
  • prf allows the Relying Party to use outputs from a pseudo-random function (PRF) associated with a credential ‍

• They provide essential data for generating authentication assertions, including a mandatory cryptographic challenge and optional user verification requirements.

• The challenge is a critical security feature that ensures the authenticity of the authentication process and guards against replay attacks.

• Yes, they offer flexibility with optional parameters like timeout and rpId, allowing customization based on specific authentication requirements.

• They both are objects sent by the Backend including a challenge for authentication, but differ regarding their use case. PublicKeyCredentialCreationOptions are used for creating a new credentials, while PublicKeyCredentialRequestOptions are used for the authentication process with an existing credential

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →