What is authenticatorSelection in WebAuthn?

In WebAuthn, authenticatorSelection is an important part of the PublicKeyCredentialCreationOptions object. This feature enables Relying Parties (RPs) to specify criteria for selecting the appropriate authenticators during the create() operation. Its importance lies in:

• Defining Authenticator Requirements: Dictates the type of authenticators that can participate in the registration process.
• Authenticator Attachment: Determines if the authenticator is a platform (e.g. Face ID, Touch ID, Windows Hello) or a cross-platform (roaming) authenticator.
• User Verification: Sets the requirement for user verification (e.g., "preferred", "required," or "discouraged").

Become part of our Passkeys Community for updates and support.

Join

    "authenticatorSelection": {
      "authenticatorAttachment": "platform",
      "residentKey": "required",
      "requireResidentKey": false,
      "userVerification": "required",
    }

Continue reading for a breakdown of the possible values and configurations of authenticatorSelection.

authenticatorSelection in WebAuthn is essential for ensuring that the authentication process aligns with specific security requirements and user experience preferences. It offers Relying Parties the flexibility to tailor the registration process according to their security needs.

Here's an overview over the possible values, as specified in the WebAuthn specification:

Possible values:

• Platform: The authenticator is attached to the client's platform and is therefore not removable.
• Cross-platform: The authenticator is not bound to the client's platform and can be used on multiple devices.

This value specifies whether the Relying Party wants to create a discoverable credential. Possible values are:

• required: The authenticator must create a resident key and the operation should fail if this is not possible.
• preferred: The authenticator should try to create a resident key and should create a non-resident key if this is not possible.
• discouraged: The authenticator must create a non-resident keyand the operation should fail if this is not possible.

This value is just used for backwards compatibility with WebAuthn level 1, being set to "true" if residentKey is set to "required".

Subscribe to our Passkeys Substack for the latest news, insights and strategies.

Subscribe

This value indicates whether User Verification is required for the operation. Possible values are:

• required: The operation must verify the user.
• preferred: The operations should verify the user, but can proceed without it (standard value).
• discouraged: The operation should not verify the user.

Warning: If set to "preferred" the authenticator may skip the user verification in the authentication process. Read more about this issue in this article.

authenticatorSelection in WebAuthn allows Relying Parties to specify the type of authenticators that are suitable for their authentication process, including the requirement for user verification and the type of authenticator.

It impacts user experience by determining the type of authenticator used (platform or roaming) and setting the level of user verification, thereby influencing the ease and security of the authentication process.

Want to experiment with passkey flows? Try our Passkeys Debugger.

Try for Free

The authenticatorAttachment setting in authenticatorSelection dictates whether a fixed platform authenticator or a removable cross-platform authenticator is required, affecting the physical and functional characteristics of the authentication process.