Read full blogpost

How to prevent creation of multiple passkeys for 1 account?

Vincent Delitz

Vincent

Created: February 3, 2025

Updated: February 17, 2025

Do you want to learn more?

Read full blog post

How to Prevent Creation of Multiple Passkeys for One Account?#

In WebAuthn-based authentication, it is possible for users to create multiple passkeys for the same account across different devices or passkey providers. While this improves redundancy and accessibility, some organizations may want to restrict multiple passkey registrations to prevent confusion or enforce security policies.

Ways to Prevent Multiple Passkeys for One Account#

  1. Use the excludeCredentials Parameter

    • WebAuthn provides a built-in feature called excludeCredentials, which prevents users from registering multiple passkeys for the same account.
    • During passkey registration, the server checks if the user already has an existing passkey and blocks additional registrations.

    Example:

    {
  "challenge": "random-challenge-string",
  "rp": { "name": "Example Corp", "id": "example.com" },
  "user": { "id": "user-id", "name": "user@example.com", "displayName": "User Name" },
  "excludeCredentials": [
    {
      "id": "existing-passkey-id",
      "type": "public-key"
    }
  ],
  "authenticatorSelection": { "residentKey": "preferred" },
  "attestation": "none",
  "pubKeyCredParams": [{ "type": "public-key", "alg": -7 }]
}

2. Restrict Passkey Registration Per User
  - Implement server-side validation to limit each user to a single registered passkey.
  - Before allowing a new passkey registration, check the user’s existing credentials in your database.

3. Provide UI Feedback on Existing Passkeys
  - Inform users when they attempt to register a new passkey if one already exists.
  - Offer users an option to delete or replace their previous passkey.

<CustomBanner type="Substack"/>

4. Implement Admin Controls for Passkey Management
Enterprise environments can enforce passkey policies through an admin panel where IT teams can limit passkey creation.

5. Educate Users on Passkey Best Practices
Instead of blocking multiple passkeys, educate users on how to manage them properly, ensuring they have a backup passkey in case of device loss.

### Conclusion
By using WebAuthn’s excludeCredentials parameter, implementing server-side checks, and providing user-friendly feedback, organizations can prevent the unnecessary creation of multiple passkeys for a single account while maintaining secure and seamless authentication.

Do you want to learn more?

Read full blog post

Share this article

LinkedInTwitterFacebook

Enjoyed this read?

🤝 Join our Passkeys Community

Share passkeys implementation tips and get support to free the world from passwords.

Join for free

🚀 Subscribe to Substack

Get the latest news, strategies, and insights about passkeys sent straight to your inbox.

Subscribe for free

Related FAQs

Related Terms

Related Articles

nextjs totp banner
Engineering

How to create a Time-based One-Time Password (TOTP) in Next.js

Vincent - December 30, 2024

iframe passkeys webauthn cover
WebAuthn Know-How

Passkeys & iframes: How to Create & Login with a Passkey?

Vincent - June 3, 2024

password reset increase customer retention
Passkeys Strategy

How to Use Password Resets to Increase Customer Retention

Janina - December 14, 2022