WebAuthn Know-HowWebAuthn Server Options: Overview of Early Adopters
Explore the WebAuthn server options overview of early adopters to see configurations for passkey / WebAuthn creation and authentication ceremonies.
Vincent
Created: July 9, 2024
Updated: July 9, 2024
Our mission is to make the Internet a safer place, and the new login standard passkeys provides a superior solution to achieve that. That's why we want to help you understand passkeys and its characteristics better.
Overview#
1. Introduction: WebAuthn Server Options
2. Understanding WebAuthn Server Options
3. Overview of Public Key Credential Creation Options
4. Overview of Public Key Credential Request Options
1. Introduction: WebAuthn Server Options#
More and more organizations recognize the benefits of passkeys, so the implementation of WebAuthn servers has become a critical component of their authentication strategies.
This article explores the WebAuthn server options, particularly focusing on PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions. By understanding how large tech companies like Google, Binance or Revolut have implemented WebAuthn server, developers and product managers can better learn from these best practices for their own passkey integrations.
2. Understanding WebAuthn Server Options#
To effectively implement passkeys, it’s essential to grasp the core WebAuthn server options:
- PublicKeyCredentialCreationOptions: These options are crucial for credential creation during the setup of passkeys (read more).
- PublicKeyCredentialRequestOptions: These options come into play during the authentication process, defining the parameters for assertion generation (read more).
3. Overview of Public Key Credential Creation Options#
In the following table, you find an overview of best practices of large tech companies on how they have defined their PublicKeyCredentialCreationOptions.
| rp | user | challenge | pubKeyCredParams | timeout | excludeCredentials | authenticatorSelection | attestation | extensions | |
|---|---|---|---|---|---|---|---|---|---|
| KAYAK | id: www.kayak.den name: KAYAK | displayName: user@corbado.com id: UjRD...NTOD0 name: user@corbado.com | ✔️ | alg: -7, type: public-key alg: -257, type: public-key | n/a | n/a | residentKey: required userVerification: preferred | none | n/a |
| eBay | id: ebay.de name: ebay.de | displayName: user@corbado.com id: dm9y...NxY2U name: user@corbado.com | ✔️ | alg: -7, type: public-key alg: -35, type: public-key alg: -36, type: public-key alg: -257, type: public-key alg: -258, type: public-key alg: -259, type: public-key alg: -37, type: public-key alg: -38, type: public-key alg: -39, type: public-key alg: -1, type: public-key | n/a | n/a | residentKey: discouraged userVerification: required | direct | n/a |
| Shopify | id: accounts.shopify.com name: Shopify | displayName: user@corbado.com id: Mzc3...jYzcw name: user@corbado.com | ✔️ | alg: -7, type: public-key alg: -37, type: public-key alg: -257, type: public-key | n/a | n/a | residentKey: required userVerification: preferred | none | n/a |
| GitHub | id: github.com name: GitHub | displayName: user id: ooqg...OWeyA name: user | ✔️ | alg: -7, type: public-key alg: -257, type: public-key | n/a | id: ✔️ transports: internal type: public-key | residentKey: required userVerification: preferred | none | appIdExclude: https://github.com/u2f/trusted_facets credProps: true |
| Adobe | id: adobe.com name: adobe.com | displayName: user@corbado.com id: amFu...LmRl name:user@corbado.com | ✔️ | alg: -7, type: public-key alg: -35, type: public-key alg: -36, type: public-key alg: -257, type: public-key | n/a | n/a | residentKey: preferred userVerification: preferred | direct | credProps: true |
| id: google.com name: Google | displayName: user@corbado.com id: R09P...3Mjc2 name: user@corbado.com | ✔️ | alg: -7, type: public-key alg: -257, type: public-key | n/a | id: ✔️ transports: usb, nfc, ble, hybrid, internal type: public-key | authenticatorAttachment: platform residentKey: preferred userVerification: preferred | direct | appIdExclude: https://www.gstatic.com/securitykey/origins.json | |
| Vercel | id: vercel.com name: Vercel | displayName: user-corbadocom id: MVVv...Q293 name: user-corbadocom | ✔️ | alg: -7, type: public-key alg: -257, type: public-key | n/a | n/a | residentKey: required userVerification: preferred | none | credProps: true |
| Amazon | id: amazon.com name: Amazon | displayName: user id: OTI5...M2OA name: user@corbado.com | ✔️ | alg: -7, type: public-key | n/a | n/a | residentKey: required userVerification: preferred | direct | n/a |
| Binance | id: binance.com name: Binance | displayName: Chrome V125.0.0.0 (Mac OS) id: OTA2...ODIz name: user@corbado.com | ✔️ | alg: -65535, type: public-key alg: -257, type: public-key alg: -258, type: public-key alg: -259, type: public-key alg: -37, type: public-key alg: -38, type: public-key alg: -39, type: public-key alg: -7, type: public-key alg: -35, type: public-key alg: -36, type: public-key alg: -8, type: public-key alg: -43, type: public-key | n/a | n/a | residentKey: discouraged userVerification: preferred | direct | credProps: true |
| Best Buy | id: bestbuy.com name: Best Buy | displayName: user id: MTE4...NDA1 name: user@corbado.com | ✔️ | alg: -7, type: public-key alg: -257, type: public-key | n/a | n/a | authenticatorAttachment: platform residentKey: required userVerification: required | none | n/a |
| Coinbase | id: coinbase.com name: Coinbase | displayName: user id: MDVm...ZDg4 name: user@corbado.com | ✔️ | alg: -7, type: public-key alg: -257, type: public-key alg: -65535, type: public-key | n/a | n/a | residentKey: preferred userVerification: preferred | direct | credProps: true |
| Finom | id: app.finom.co name: app.finom.co | displayName: user id: amFu...LmRl name: user@corbado.com | ✔️ | alg: -7, type: public-key alg: -257, type: public-key alg: -37, type: public-key alg: -35, type: public-key alg: -258, type: public-key alg: -38, type: public-key alg: -36, type: public-key alg: -259, type: public-key alg: -39, type: public-key alg: -8, type: public-key | n/a | n/a | residentKey: discouraged userVerification: required | direct | n/a |
| Microsoft | id: login.microsoft.com name: Microsoft | displayName: user id: TUY6...k61Y name: user@corbado.com | ✔️ | alg: -7, type: public-key alg: -257, type: public-key | n/a | n/a | residentKey: required userVerification: required | direct | credentialProtectionPolicy: userVerificationOptional enforceCredentialProtectionPolicy: false hmacCreateSecret: true |
| Nintendo | id: accounts.nintendo.com name: Nintendo Account | displayName: user id: OTE4...ExNg name: user@corbado.com | ✔️ | alg: -7, type: public-key alg: -35, type: public-key alg: -36, type: public-key alg: -8, type: public-key | n/a | n/a | authenticatorAttachment: platform residentKey: required userVerification: required | none | n/a |
| PlayStation | id: my.account.sony.com name: Sony | displayName: user@corbado.com id: dUZM...omeM name: user@corbado.com | ✔️ | alg: -7, type: public-key alg: -37, type: public-key alg: -257, type: public-key | n/a | n/a | residentKey: preferred userVerification: preferred | none | n/a |
| Stripe | id: stripe.com name: Stripe Dashboard | displayName: user@corbado.com id: dXNy...VGVm name: user@corbado.com | ✔️ | alg: -7, type: public-key alg: -37, type: public-key alg: -257, type: public-key | n/a | n/a | residentKey: required userVerification: required | none | n/a |
| Uber | id: uber.com name: Uber Inc. | displayName: 0176 xxxxxxxx id: 02c2...b4af name: 0176 xxxxxxxx | ✔️ | alg: -7, type: public-key alg: -35, type: public-key alg: -36, type: public-key alg: -257, type: public-key alg: -258, type: public-key alg: -259, type: public-key alg: -37, type: public-key alg: -38, type: public-key alg: -39, type: public-key alg: -8, type: public-key | n/a | n/a | authenticatorAttachment: platform residentKey: preferred userVerification: required | none | n/a |
4. Overview of Public Key Credential Request Options#
In the following table, you find an overview of best practices of large tech companies on how they have defined their PublicKeyCredentialRequestOptions.
| challenge | timeout | rpId | allowCredentials | userVerification | extensions | |
|---|---|---|---|---|---|---|
| PayPal | ✔ | n/a | paypal.com | id: transports: usb, nfc, ble, hybrid, internal type: public-key | required | n/a |
| KAYAK | ✔ | n/a | kayak.de | id: transports: usb, nfc, ble, hybrid, internal type: public-key | preferred | n/a |
| eBay | ✔ | n/a | ebay.de | n/a | required | n/a |
| Shopify | ✔ | n/a | accounts.shopify.com | n/a | preferred | n/a |
| GitHub | ✔ | n/a | github.com | n/a | required | n/a |
| Adobe | ✔ | n/a | adobe.com | n/a | preferred | n/a |
| ✔ | n/a | google.com | id: transports: hybrid, internal type: public-key | preferred | n/a | |
| Vercel | ✔ | n/a | vercel.com | n/a | preferred | n/a |
| Amazon | ✔ | n/a | amazon.com | id: transports: hybrid, internal type: public-key | preferred | n/a |
| Binance | ✔ | n/a | binance.com | id: 50tFgDvoiCy4HsjkiwsEmykmsxE transports: hybrid, internal type: public-key | preferred | n/a |
| Apple | ✔ | n/a | apple.com | id: QVbUFRZmiAZxElbC0CKP7zL_RGE transports: hybrid, internal type: public-key | preferred | largeBlob: read: true |
| Best Buy | ✔ | n/a | bestbuy.com | n/a | required | n/a |
| Coinbase | ✔ | n/a | coinbase.com | n/a | preferred | n/a |
| Finom | ✔ | n/a | app.finom.co | id: QOzxfW9xaL3Ozg4u3WBv9wjdW8s transports: usb, nfc, ble, hybrid, internal type: public-key | required | n/a |
| Microsoft | ✔ | n/a | login.microsoft.com | n/a | required | n/a |
| Nintendo | ✔ | n/a | accounts.nintendo.com | n/a | required | n/a |
| PlayStation | ✔ | n/a | my.account.sony.com | n/a | required | n/a |
| Stripe | ✔ | n/a | stripe.com | n/a | required | n/a |
| Uber | ✔ | n/a | uber.com | n/a | required | n/a |
5. Recommendations for Implementing WebAuthn Server Options#
For those looking to implement WebAuthn servers and use passkeys in the most user-friendly and secure way, we recommend the following WebAuthn server configurations:
PublicKeyCredentialCreationOptions
-
Relying Party
- Reying Party ID: Use your root domain in order to be able to make the passkey reusable in potential future sub-domains as well (read mode).
- Relying Party Name: Use the name your product / service is known to your users.
-
User
- User Display Name: Firstname + Lastname (read more)
- User ID: Use your internal user ID (read more)
- User Name: Use the nam how you want to address your users (read more)
- pubKeyCredParams: Use at least the following two algorithms (read more)
- ES256 (alg: -7, type: public-key)
- RS256 (alg: -257, type: public-key)
-
authenticatorSelection (read more):
-
attestation: direct - so that you can get the AAGUID of uses authenticators and improve the UX (read more)
-
Extension: none
PublicKeyCredentialRequestOptions
- userVerification: required
6. Conclusion#
In summary, leading tech companies like Google, Microsoft, eBay, and GitHub have successfully implemented passkeys. Make use of common patterns regarding the WebAuthn server options to ensure highest security and UX standards. This can significantly optimize your passkey implementation.
Share this article
Table of Contents
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour
Start for free
