Update / Delete Passkeys via WebAuthn Signal API

vdelitz - Sep 20 - - Dev Community

As passkeys continue to revolutionize online authentication, it's important to keep them up-to-date and ensure seamless deletion when necessary. The WebAuthn Signal API offers developers a straightforward method for updating and deleting passkeys on client-side authenticators, ensuring users' information stays current across platforms. In this article, we'll walk through the key functions of this API and how it improves the passkey management experience.

Read the full, original blog post here

Why the WebAuthn Signal API is Important

The WebAuthn Signal API addresses two significant use cases: updating the meta-data of passkeys and deleting outdated passkeys on client-side authenticators. Traditionally, these tasks required inconvenient workarounds that could confuse users and clutter the credential selection interface. With this API, developers can streamline the process, offering a cleaner user experience while enhancing security.

1. Updating Meta-Data for Passkeys

When a user updates personal information, such as an email address, this change often doesn't reflect in their stored passkeys. This is because passkey meta-data - like user.name and user.displayName-is stored locally on the authenticator. Without the WebAuthn Signal API, developers had to manually delete and recreate passkeys, an inefficient process for both users and developers.

The WebAuthn Signal API provides a solution by allowing the update of passkey meta-data without the need to recreate credentials. This is done by sending a currentCredentials report that includes the updated user information, ensuring the data remains consistent across all devices. This makes sure that outdated information, like an old email address, no longer shows up in the UI, enhancing the user experience.

2. Deleting Passkeys on the Client-Side

Another key feature of the WebAuthn Signal API is the ability to delete passkeys that are no longer valid. Users might delete passkeys through account settings or delete their accounts, but without a way to remove these passkeys from the client-side authenticator, they may still appear in passkey autofill, causing confusion.

With the unknownCredential report, the WebAuthn Signal API allows developers to signal the deletion of specific credentials. This ensures that invalid or revoked passkeys are removed from future UI options, maintaining a clean and secure authentication process.

Implementing the WebAuthn Signal API: Key Considerations

Implementing this API involves some important considerations:

  • Privacy Preservation: The API ensures user privacy by not providing feedback to the relying party (RP) on whether updates or deletions were successfully processed. This prevents any potential leakage of sensitive information.
  • Authenticator Availability: For the WebAuthn Signal API to function, the authenticator must be available and support the required operations. This includes both hardware availability and software support (e.g., browser compatibility).
  • Credential ID as the Key: When referencing passkeys, the API relies on the Credential ID as the primary key, ensuring that only the correct credentials are updated or deleted.

Recommendations for Developers

  • Stay Updated on Implementation: The WebAuthn Signal API is expected to roll out initially with Google Chrome, followed by other browsers. Staying informed on its adoption will help ensure your implementation remains up-to-date.
  • Adopt a Consistent Update Strategy: Use the currentCredentials report after each successful login to ensure meta-data across all devices is synchronized.
  • Use Real-Time Messaging for Large Deployments: For large deployments, consider real-time messaging with unknownCredential reports to promptly remove invalid credentials.

Conclusion

The WebAuthn Signal API provides developers with essential tools for managing passkey updates and deletions, improving both user experience and security. By implementing this API, you can ensure that passkeys remain accurate and up-to-date, while also removing invalid credentials from the UI. As the WebAuthn standard evolves, staying on top of these changes will help maintain a seamless and secure authentication experience for your users.
Find out more on how to implement this API on Corbado's blog.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Terabox Video Player