Home

PublicKeyCredential

PublicKeyCredential is a class in the Web Authentication API (WebAuthn) used to represent a public-key based credential on a user’s device. It is part of the WebAuthn standard developed by the W3C in collaboration with the FIDO Alliance. PublicKeyCredential objects are produced by the WebAuthn flows, typically through calls to navigator.credentials.create for registering new credentials and navigator.credentials.get for authenticating with existing ones. They enable passwordless logins and phishing-resistant multi-factor authentication.

Structure and properties: PublicKeyCredential extends the Credential interface. Its primary properties include id (a string identifier

Usage overview: To create a credential, a relying party supplies PublicKeyCredentialCreationOptions, including a challenge, relying party

Compatibility and considerations: WebAuthn is supported by major browsers across platforms, with various authenticators (built-in, USB,

for
the
credential),
type
(usually
"public-key"),
and
rawId
(an
ArrayBuffer
containing
the
binary
credential
identifier).
The
response
property
contains
an
AuthenticatorResponse,
which
is
either
an
AuthenticatorAttestationResponse
(on
creation)
or
an
AuthenticatorAssertionResponse
(on
authentication).
AuthenticatorAttestationResponse
provides
clientDataJSON
and
attestationObject,
while
AuthenticatorAssertionResponse
provides
clientDataJSON,
authenticatorData,
signature,
and
userHandle.
These
data
elements
are
used
by
the
relying
party
server
to
verify
the
credential
and
the
authentication
assertion.
identifier,
user
information,
and
cryptographic
parameters;
the
user
completes
the
action
on
a
compatible
authenticator.
To
authenticate,
PublicKeyCredentialRequestOptions
with
a
challenge
is
supplied;
the
resulting
PublicKeyCredential
contains
assertion
data
that
the
server
verifies
against
the
registered
credential
and
user.
The
process
is
bound
to
the
origin
and
the
relying
party,
offering
stronger
security
against
phishing.
or
BLE).
Implementations
must
enforce
origin
checks,
challenge
freshness,
and
appropriate
user
verification
policies,
and
must
securely
process
attestation
and
assertion
data
on
the
server
side.