What is authenticatorSelection in WebAuthn?

In WebAuthn, authenticatorSelection is an important part of the PublicKeyCredentialCreationOptions object. This feature enables Relying Parties (RPs) to specify criteria for selecting the appropriate authenticators during the create() operation. Its importance lies in:

• Defining Authenticator Requirements: Dictates the type of authenticators that can participate in the registration process.
• Authenticator Attachment: Determines if the authenticator is a platform (e.g. Face ID, Touch ID, Windows Hello) or a cross-platform (roaming) authenticator.
• User Verification: Sets the requirement for user verification (e.g., "preferred", "required," or "discouraged").

    "authenticatorSelection": {
      "authenticatorAttachment": "platform",
      "residentKey": "required",
      "requireResidentKey": false,
      "userVerification": "required",
    }

Continue reading for a breakdown of the possible values and configurations of authenticatorSelection.

authenticatorSelection in WebAuthn is essential for ensuring that the authentication process aligns with specific security requirements and user experience preferences. It offers Relying Parties the flexibility to tailor the registration process according to their security needs.

Here's an overview over the possible values, as specified in the WebAuthn specification:

Possible values:

• Platform: The authenticator is attached to the client's platform and is therefore not removable.
• Cross-platform: The authenticator is not bound to the client's platform and can be used on multiple devices.

This value specifies whether the Relying Party wants to create a discoverable credential. Possible values are:

• required: The authenticator must create a resident key and the operation should fail if this is not possible.
• preferred: The authenticator should try to create a resident key and should create a non-resident key if this is not possible.
• discouraged: The authenticator must create a non-resident keyand the operation should fail if this is not possible.

This value is just used for backwards compatibility with WebAuthn level 1, being set to "true" if residentKey is set to "required".

Subscribe to our Passkeys Substack for the latest news.

Subscribe

This value indicates whether User Verification is required for the operation. Possible values are:

• required: The operation must verify the user.
• preferred: The operations should verify the user, but can proceed without it (standard value).
• discouraged: The operation should not verify the user.

Warning: If set to "preferred" the authenticator may skip the user verification in the authentication process. Read more about this issue in this article.

authenticatorSelection in WebAuthn allows Relying Parties to specify the type of authenticators that are suitable for their authentication process, including the requirement for user verification and the type of authenticator.

It impacts user experience by determining the type of authenticator used (platform or roaming) and setting the level of user verification, thereby influencing the ease and security of the authentication process.

Experiment with passkey flows in the Passkeys Debugger.

Try for Free

The authenticatorAttachment setting in authenticatorSelection dictates whether a fixed platform authenticator or a removable cross-platform authenticator is required, affecting the physical and functional characteristics of the authentication process.

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →