What is a Discoverable Credential in WebAuthn?

What is a Discoverable Credential?#

A Discoverable Credential is a type of credential in WebAuthn, often used for passkeys, that is stored directly on the authenticator (e.g., security key like YubiKey, smartphone's secure enclave).

Stored Locally: Unlike non-resident keys, discoverable credentials are stored on the authenticator itself.
Easy Identification: They can be identified by the client without requiring user input of credential ID, as they're discoverable by the authenticator for a specific Relying Party ID.
User Experience Benefits: They offer a streamlined login process, often supporting features like Conditional UI for autofill, enhancing user experience by reducing the need to remember or input user handles,
Security and Device-Specific Authentication: Tying authentication to a specific device adds an extra security layer.

Storage Capacity: Authenticators have a finite storage capacity for these keys.
Risk with Loss of Authenticator: If the authenticator is lost or damaged, all resident keys on that device are also lost.
Security Risks: Although minimal, there's a risk of key extraction if the authenticator is stolen.

A Discoverable Credential is a WebAuthn credential stored on the authenticator, allowing for easier and more secure authentication.
Offers a streamlined login experience with features like Conditional UI, making it user-friendly.
Limited by the storage capacity of the authenticator and poses risks if the authenticator is lost or compromised.
Primarily used in scenarios where device-specific authentication is required for enhanced security.

Role in WebAuthn Ecosystem: They are integral to the WebAuthn framework, ensuring secure and user-friendly authentication processes.
Technical Aspects: They utilize public-private key cryptography, stored directly on the device, offering a more secure form of authentication compared to traditional methods like passwords.
Usage Scenarios: Ideal for personal devices like smartphones or laptops where frequent authentication is common.

Storage: Non-resident keys are not stored on the device but are re-derived each time authentication is needed.
User Experience: Non-resident keys generally require the user to input a user handle, unlike discoverable credentials.
Scalability: Non-resident keys offer more scalability as they are not limited by device storage.

Consider User Base: Ideal for services where users primarily access from personal devices.
Balance Security and Convenience: While offering enhanced security, be mindful of the potential risks and limitations.
Educate Users: Inform users about the functionality and benefits of using discoverable credentials.

Discoverable Credentials in WebAuthn are types of credentials stored directly on the authenticator, allowing for more secure and user-friendly authentication processes.

They streamline the login process by supporting features like Conditional UI, reducing the need for users to remember or input user handles.

Their main limitations include the finite storage capacity of authenticators and the risk of losing access to credentials if the authenticator is lost or compromised.

Yes, they offer enhanced security by storing credentials directly on the device and using public-private key cryptography, making them more secure than traditional password-based methods.