by Stepan Suvorov
Christiaan Brand
Security & Identity, Google
Maud Nalpas
Web security & privacy, Google
Something you know
Something you have
Something you are
Somewhere you are
Public 🔑
 Private 🔑
CTAP
WebAuthn
Public 🔑
 Private 🔑
Public 🔑
challenge
signed package with challenge
Syncing
Passkeys are not stored on a single device
Cross-device
Passkeys on one device can be used on a different device
Discoverable
Passkeys contain metadata that allows your system to present passkey to you
navigator.credentials.create({
publicKey: options
});
const publicKeyCredentialCreationOptions = {
challenge: new ArrayBuffer([219]),
rp: {
name: "Slides",
id: "slides.com",
},
user: {
id: new ArrayBuffer([137]),
name: "elisabeckett",
displayName: "Elisa Beckett",
},
pubKeyCredParams: [{alg: -7, type: "public-key"}],
authenticatorSelection: {
authenticatorAttachment: "platform",
requireResidentKey: true,
},
timeout: 30000
};
const credential = await navigator.credentials.create({
publicKey: publicKeyCredentialCreationOptions
});
navigator.credentials.get({
publicKey: requestOptions,
mediation: 'conditional'
});
// Availability of 'window.PublicKeyCredential' means WebAuthn is usable.
if (window.PublicKeyCredential &&
PublicKeyCredential.isConditionalMediationAvailable) {
// Check if conditional mediation is available.
const isCMA = await PublicKeyCredential.isConditionalMediationAvailable();
if (isCMA) {
// Call WebAuthn authentication
}
}
const publicKeyCredentialRequestOptions = {
// Server generated challenge
challenge: new ArrayBuffer([219]),
// The same RP ID as used during registration
rpId: 'slides.com',
};
const credential = await navigator.credentials.get({
publicKey: publicKeyCredentialRequestOptions,
// Specify 'conditional' to activate conditional UI
mediation: 'conditional'
});
Passkeys are here
It might take time for regulation to catch up
Passkeys are new: It’ll take users some time to become accustomed