Understanding WebAuthn credential protection policy
4 hours ago
- #Authentication
- #Security
- #WebAuthn
- WebAuthn's credential protection policy controls when a credential can be discovered and used, especially to hide account existence without user verification.
- The credentialProtectionPolicy extension input offers options: userVerificationOptional allows discovery without verification; userVerificationOptionalWithCredentialIDList restricts discovery but allows use with credential ID; userVerificationRequired requires verification for both discovery and use.
- The enforceCredentialProtectionPolicy extension input determines if an operation should fail when the authenticator doesn't support the policy; true enforces security level, mainly for roaming authenticators.
- Browser support varies: Chrome and Firefox support the extension inputs, Safari ignores them; Chrome applies default values, like userVerificationOptionalWithCredentialIDList when residentKey is preferred or required.
- Chrome's behavior may use userVerificationRequired if residentKey is required and userVerification is preferred, aiming to enforce verification, but server-side enforcement is crucial to prevent unauthorized access.