Logo

dev-resources.site

for different kinds of informations.

Update / Delete Passkeys via WebAuthn Signal API

Published at
9/20/2024
Categories
cybersecurity
ux
webauthn
passkeys
Author
vdelitz
Author
7 person written this
vdelitz
open
Update / Delete Passkeys via WebAuthn Signal API

As passkeys continue to revolutionize online authentication, it's important to keep them up-to-date and ensure seamless deletion when necessary. The WebAuthn Signal API offers developers a straightforward method for updating and deleting passkeys on client-side authenticators, ensuring users' information stays current across platforms. In this article, we'll walk through the key functions of this API and how it improves the passkey management experience.

Read the full, original blog post here

Why the WebAuthn Signal API is Important

The WebAuthn Signal API addresses two significant use cases: updating the meta-data of passkeys and deleting outdated passkeys on client-side authenticators. Traditionally, these tasks required inconvenient workarounds that could confuse users and clutter the credential selection interface. With this API, developers can streamline the process, offering a cleaner user experience while enhancing security.

1. Updating Meta-Data for Passkeys

When a user updates personal information, such as an email address, this change often doesn't reflect in their stored passkeys. This is because passkey meta-data - like user.name and user.displayName-is stored locally on the authenticator. Without the WebAuthn Signal API, developers had to manually delete and recreate passkeys, an inefficient process for both users and developers.

The WebAuthn Signal API provides a solution by allowing the update of passkey meta-data without the need to recreate credentials. This is done by sending a currentCredentials report that includes the updated user information, ensuring the data remains consistent across all devices. This makes sure that outdated information, like an old email address, no longer shows up in the UI, enhancing the user experience.

2. Deleting Passkeys on the Client-Side

Another key feature of the WebAuthn Signal API is the ability to delete passkeys that are no longer valid. Users might delete passkeys through account settings or delete their accounts, but without a way to remove these passkeys from the client-side authenticator, they may still appear in passkey autofill, causing confusion.

With the unknownCredential report, the WebAuthn Signal API allows developers to signal the deletion of specific credentials. This ensures that invalid or revoked passkeys are removed from future UI options, maintaining a clean and secure authentication process.

Implementing the WebAuthn Signal API: Key Considerations

Implementing this API involves some important considerations:

  • Privacy Preservation: The API ensures user privacy by not providing feedback to the relying party (RP) on whether updates or deletions were successfully processed. This prevents any potential leakage of sensitive information.
  • Authenticator Availability: For the WebAuthn Signal API to function, the authenticator must be available and support the required operations. This includes both hardware availability and software support (e.g., browser compatibility).
  • Credential ID as the Key: When referencing passkeys, the API relies on the Credential ID as the primary key, ensuring that only the correct credentials are updated or deleted.

Recommendations for Developers

  • Stay Updated on Implementation: The WebAuthn Signal API is expected to roll out initially with Google Chrome, followed by other browsers. Staying informed on its adoption will help ensure your implementation remains up-to-date.
  • Adopt a Consistent Update Strategy: Use the currentCredentials report after each successful login to ensure meta-data across all devices is synchronized.
  • Use Real-Time Messaging for Large Deployments: For large deployments, consider real-time messaging with unknownCredential reports to promptly remove invalid credentials.

Conclusion

The WebAuthn Signal API provides developers with essential tools for managing passkey updates and deletions, improving both user experience and security. By implementing this API, you can ensure that passkeys remain accurate and up-to-date, while also removing invalid credentials from the UI. As the WebAuthn standard evolves, staying on top of these changes will help maintain a seamless and secure authentication experience for your users.
Find out more on how to implement this API on Corbado's blog.

passkeys Article's
30 articles in total
Favicon
Ensuring Successful Passkey Deployment: Testing Strategies for Enterprises
Favicon
How to integrate Passkeys into Enterprise Stacks?
Favicon
Initial Planning & Technical Assessment for Passkeys
Favicon
How to build a Passkey Product, a Strategy and Design for it?
Favicon
How to Engage with Stakeholders in Passkey Projects?
Favicon
Update / Delete Passkeys via WebAuthn Signal API
Favicon
Introduction to Smart Wallets and Passkeys authentication
Favicon
Passkeys, Are passwords obsolete now?!
Favicon
Guide: How to Add Passkeys to Enterprise Systems
Favicon
No Matching Passkeys Available: Troubleshooting Your Login Issue
Favicon
How to Activate Apple Passkeys on MacBooks
Favicon
How to Activate Microsoft Passkeys on Windows
Favicon
How to Use Passkeys with Google Password Manager
Favicon
How to Verify User Accounts in Passkey-Based Systems
Favicon
Passkey One-Tap Login: The Most Efficient Login
Favicon
User Presence & Verification in WebAuthn: Detailed Guide
Favicon
Let's Make the Internet a Safer Place! State of Passkeys is Now Live on Product Hunt 🚀
Favicon
Payment Passkeys @ Mastercard: Revolution for Payment Security
Favicon
How to Integrate Passkeys in Python (FastAPI)
Favicon
Tutorial: Integrate Passkeys into Django (Python)
Favicon
Tutorial: How to Integrate Passkeys into Next.js
Favicon
Passkeys / WebAuthn Library v2.0 is there! 🎉
Favicon
WebAuthn PRF Extension, Related Origins & Passkey Upgrades
Favicon
How To Activate Apple Passkeys on iPhones
Favicon
Passkeys in Australia: Download Free Whitepaper
Favicon
Why B2C Auth is Fundamentally Broken
Favicon
Why B2C Auth is Fundamentally Broken
Favicon
WebAuthn & iframes Integration for Cross-Origin Authentication
Favicon
How Passkeys Protect Against Phishing
Favicon
Are Device-Bound Passkeys AAL2- or AAL3-Compliant?

Featured ones: