emlun
commented
3 months ago Hi! No, there is no such capability in WebAuthn. There is no unique identifier[^1] since that would enable tracking, and there is no API to probe for whether any credential already exists. For an extended discussion of why, see: https://github.com/w3c/webauthn/issues/1915 .
What you can do is use excludeCredentials to prevent creating multiple credentials for the same account on an authenticator. The RelyingParty.startRegistration() method sets excludeCredentials automatically by querying the CredentialRepository. In theory you could set excludeCredentials to include all credentials in all accounts, but this obviously doesn't scale if there are more than maybe 20-50 accounts in your service - certainly not if there are thousands.
Depending on what you want to accomplish, you might be able to use conditional UI instead. This enables discoverable credentials (passkeys) to show up as autofill options in a text field (typically a username or password field) instead of interrupting the UI with the modal WebAuthn popup. If the user selects a passkey from the autofill options, then that passkey is used to authenticate. If you do this in a registration form, you can guide users to log in if they already have an account instead of creating a new one. A demo of this kind of flow is available on passkey.org . But note that this does not prevent registering multiple accounts, it just helps nudge users into a different flow.
Does that help?
[^1]: Except for enterprise attestation, but that is not available in consumer-grade authenticators.
MarklearnML
Hi, I would like to know if there is a method to ensure that an authenticator can only register one account for a specific RP. Is there a way to obtain the unique identifier of an authenticator (reject registration from server) or for the authenticator to reject registration of a new account if it detects that the RP already exists?