site address: web.dev/articles/passkey-registration redirected to: web.dev/articles/passkey-registration

site title: Bluesky

Our opinion (on Monday 27 April 2026 13:38:10 UTC):

- no comments

After content analysis of this website we propose the following hashtags:

Meta tags:
description=Passkeys make a website's user accounts safer, simpler, easier to use and passwordless. This document discusses how to allow users to create passkeys for your website.;

Headings (most frequently used words):

the, passkey, create, to, for, save, content, send, backend, credential, web, dev, passwordless, logins, stay, organized, with, collections, and, categorize, based, on, your, preferences, how, creating, works, compatibilities, new, notification, user, checklist, resources, check, compatibility, fetch, information, from, call, webauthn, api, returned, public, key, signal, if, registration, fails, contribute, related, follow,

Text of the page (most frequently used words):
the (234), passkey (90), and (61), user (57), for (42), #credential (36), with (35), this (32), #create (32), key (32), public (25), passkeys (20), example (19), can (19), device (18), web (17), learn (17), you (15), browser (15), information (15), backend (15), using (14), sign (13), server (13), account (13), publickeycredential (13), provider (13), credentials (13), name (12), from (12), webauthn (12), verification (12), platform (12), your (11), after (11), api (11), how (11), that (10), registration (10), password (10), following (10), frontend (10), users (9), signal (9), more (9), dev (8), thumb (8), com (8), authentication (8), use (8), const (8), object (8), set (8), shows (7), case (7), resources (7), not (7), may (7), creation (7), process (7), fetch (7), should (7), identity (7), studies (6), content (6), see (6), code (6), google (6), login (6), send (6), email (6), when (6), but (6), required (6), type (6), arraybuffer (6), data (6), navigator (6), call (6), check (6), supports (6), down (5), date (5), last (5), registered (5), side (5), creating (5), their (5), save (5), prevent (5), method (5), before (5), encoded (5), await (5), response (5), has (5), true (5), time (5), used (5), which (5), created (5), promise (5), support (5), new (5), authenticator (5), compatibility (5), javascript (5), chrome (4), related (4), secure (4), site (4), other (4), page (4), details (4), its (4), form (4), passwordless (4), notification (4), signalunknowncredential (4), such (4), helps (4), manager (4), will (4), unique (4), returned (4), json (4), returns (4), authenticatorattachment (4), error (4), already (4), userverification (4), preferred (4), authenticatorselection (4), stores (4), security (4), alg (4), like (4), system (4), challenge (4), button (4), passwords (4), accessibility (4), performance (4), css (4), html (4), best (4), practices (4), baseline (4), manage (3), developers (3), follow (3), podcasts (3), updated (3), 2026 (3), are (3), through (3), registering (3), fails (3), aaguid (3), identify (3), same (3), excludecredentials (3), detect (3), access (3), creates (3), future (3), about (3), base64url (3), detection (3), does (3), stored (3), determine (3), list (3), recommend (3), result (3), origin (3), encode (3), whether (3), upon (3), value (3), must (3), dialog (3), these (3), screen (3), lock (3), options (3), source (3), displaying (3), decode (3), snippet (3), skip (3), indicates (3), additional (3), prompt (3), experience (3), dive (3), ids (3), relying (3), party (3), could (3), displayed (3), generated (3), any (3), domain (3), conditional (3), capabilities (3), getclientcapabilities (3), necessary (3), phone (3), logins (3), patterns (3), explore (3), 한국어 (2), 日本語 (2), ภาษาไทย (2), বাংলা (2), हिंदी (2), فارسی (2), العربيّة (2), עברית (2), русский (2), türkçe (2), tiếng (2), việt (2), português (2), brasil (2), polski (2), italiano (2), indonesia (2), français (2), español (2), américa (2), latina (2), deutsch (2), english (2), issues (2), help (2), build (2), cross (2), all (2), need (2), too (2), out (2), samples (2), utc (2), licensed (2), under (2), license (2), autofill (2), document (2), register (2), duplicate (2), verify (2), them (2), checklist (2), unauthorized (2), without (2), available (2), keep (2), feature (2), calling (2), specified (2), been (2), removed (2), supported (2), associated (2), make (2), syncable (2), management (2), identifier (2), useful (2), based (2), properties (2), then (2), store (2), database (2), _result (2), stringify (2), tojson (2), serialize (2), contains (2), important (2), client (2), operation (2), reasons (2), property (2), verified (2), decoded_options (2), parsecreationoptionsfromjson (2), _options (2), publickeycredentialcreationoptions (2), needed (2), pass (2), authenticators (2), biometric (2), factor (2), depending (2), deep (2), discoverable (2), requireresidentkey (2), along (2), simpler (2), contain (2), during (2), transports (2), specifies (2), 257 (2), pubkeycredparams (2), have (2), selector (2), displayname (2), username (2), unlike (2), one (2), free (2), pii (2), either (2), authenticate (2), across (2), requests (2), only (2), conditions (2), passkeyplatformauthenticator (2), conditionalget (2), window (2), 133 (2), sections (2), show (2), most (2), note (2), including (2), meets (2), securely (2), federation (2), signing (2), associate (2), storing (2), private (2), signature (2), making (2), phishing (2), resistant (2), theft (2), devices (2), collections (2), developer (2), newsletter (2), pagespeed (2), insights (2), courses (2), introduction (2), digital (2), oauth (2), otp (2), webotp (2), blog (2), notifications (2), payments (2), progressive (2), apps (2), cookies, privacy, terms, rss, linkedin, youtube, chromiumdev, chromium, updates, open, file, bug, contribute, want, beautiful, accessible, fast, websites, work, our, home, journey, written, members, team, external, experts, easy, understand, easytounderstand, solved, problem, solvedmyproblem, otherup, missing, missingtheinformationineed, complicated, many, steps, toocomplicatedtoomanysteps, outofdate, issue, samplescodeissue, otherdown, except, otherwise, noted, java, trademark, oracle, affiliates, policies, apache, creative, commons, attribution, next, step, apple, authenticating, service, attempt, preferably, allowing, sending, attacker, knowledge, remains, abuse, even, changed, alerts, read, consistent, encourage, delete, nevertheless, else, vi0qoggie3ot01zrwbyz5l4megu0c7pmaa, credentialid, rpid, 404, status, failure, due, lack, condition, inform, exist, deal, expected, unknown, cause, confusion, there, isn, attempts, never, succeed, hard, troubleshoot, sure, let, know, detailed, instructions, eligible, synchronization, bound, backup, eligibility, flag, records, record, assertion, identified, includes, recommended, retrieved, receiving, instead, writing, own, library, solution, body, post, registerresponse, field, always, capable, attestation, flags, attestationobject, clientdatajson, version, rawid, matching, something, unexpected, happened, exceptions, aborted, aborterror, canceled, notallowederror, exists, shown, shouldn, treat, wanted, local, invalidstateerror, rejected, different, handle, errors, checking, resolved, returning, publickey, invoke, waiting, interaction, modal, parse, deserialize, registerrequest, pubickeycredentialcreationoptions, constructing, encoding, fetching, way, payload, directly, happen, lacks, sensors, hasn, enrolled, fingerprints, sensor, temporarily, unavailable, laptop, running, lid, closed, was, performed, off, require, second, alternatively, aware, lead, confusing, bit, caution, default, means, omit, discouraged, boolean, lets, select, resident, upgrade, promotion, wants, embedded, insert, usb, option, hint, member, provided, each, gettransports, prevents, twice, providing, algorithms, setting, ecdsa, 256, rsa, pkcs, supporting, gives, complete, coverage, friendly, chosen, suitable, include, here, empty, string, recognise, address, permanent, editable, identifies, likely, specifically, personally, identifiable, deprecated, included, website, specify, registrable, suffix, subdomains, allow, reuse, sites, https, 1337, pairs, hold, internal, john, john78, contents, clicks, met, 135, capability, webauth, browsers, some, minor, gaps, compatibilities, ensures, seamless, notifies, confirm, potential, sends, resolving, authenticates, pin, pattern, calls, generate, duplicates, triggers, initiates, action, clicking, finishing, once, happens, communicate, exchange, avoid, leaked, attackers, compromise, stronger, methods, warning, within, meaningfully, short, ensure, prerequisites, typically, runs, interacts, communicates, fetches, four, components, flow, dedicated, where, another, ask, situations, works, metadata, valid, verifies, sensitive, basic, concepts, sync, providers, icloud, keychain, enhances, simplifies, replaces, regular, remember, enter, manually, mechanisms, biometrics, pins, reduce, risks, published, october, 2022, april, bluesky, mastodon, github, eiji, kitamura, accounts, safer, easier, categorize, preferences, stay, organized, back, now, share, between, sharing, digitalcredentials, fedcm, openid, connect, compliant, apis, goibibo, dropped, retry, sms, number, adidas, accelerated, adoption, reliability, pixiv, reached, higher, success, rate, yahoo, japan, reduced, inquiries, sped, enable, two, implement, codelabs, emulate, devtools, endpoints, automatically, origins, setup, overview, change, get, speed, development, better, experiences, into, pace, main,

Text of the page (random words):
emulate authenticators with devtools codelabs implement passkeys with autofill enable two factor authentication with a security key case studies case studies yahoo japan s password free authentication reduced inquiries by 25 sped up sign in time by 2 6x how pixiv reached 29 higher login success rate for passkey users how adidas accelerated passkey adoption and reliability with conditional create and the signal api phone number sms otp form best practices webotp api case studies goibibo dropped otp retry on sign up by 25 with webotp identity federation use oauth 2 0 to access google apis set up openid connect compliant oauth 2 0 fedcm digital credentials introduction to digital credentials digitalcredentials dev credential sharing share a credential between devices web platform html css javascript user experience performance accessibility identity learn learn html learn css learn javascript learn ai learn performance learn accessibility more courses additional resources ai and the web explore pagespeed insights patterns podcasts shows developer newsletter about web dev chrome is back at google i o may 19 20 register now web dev resources identity create a passkey for passwordless logins stay organized with collections save and categorize content based on your preferences passkeys make user accounts safer simpler easier to use eiji kitamura x github mastodon bluesky published october 12 2022 last updated april 09 2026 using passkeys enhances security simplifies logins and replaces passwords unlike regular passwords which users must remember and enter manually passkeys use device s screen lock mechanisms like biometrics or pins and reduce phishing risks and credential theft passkeys sync across devices using passkey providers like google password manager and icloud keychain note to learn basic concepts of passkeys see passwordless login with passkeys a passkey must be created storing the private key securely to the passkey provider along with necessary metadata and its public key stored on your server for authentication the private key issues a signature after user verification on the valid domain making passkeys phishing resistant the public key verifies the signature without storing sensitive credentials making passkeys resistant to credential theft how creating a passkey works before a user can sign in with a passkey you should create the passkey associate it with a user account and store its public key on your server you could ask users to create a passkey in one of the following situations during or after sign up after signing in after signing in using a passkey from another device that is the authenticatorattachment is cross platform on a dedicated page where users can manage their passkeys to create a passkey you use the webauthn api the four components of the passkey registration flow are backend stores user account details including the public key frontend communicates with the browser and fetches necessary data from the backend browser runs your javascript and interacts with the webauthn api passkey provider creates and stores the passkey this is typically a password manager such as google password manager or a security key the process of creating and registering a passkey before creating a passkey ensure that the system meets these prerequisites the user account is verified through a secure method for example email phone verification or identity federation within a meaningfully short window warning avoid password only verification if the password is leaked attackers could create a passkey and compromise the account use stronger verification methods like email or phone verification the frontend and backend can communicate securely to exchange credential data the browser supports webauthn and passkey creation we can show you how to check most of them in the following sections once the system meets this conditions the following process happens to create a passkey the system triggers the passkey creation process when the user initiates the action for example clicking a create a passkey button in their passkey management page or after finishing their registration the frontend requests necessary credential data from the backend including user information a challenge and credential ids to prevent duplicates the frontend calls navigator credentials create to prompt the device s passkey provider to generate a passkey using the information from the backend note that this call returns a promise the user s device authenticates the user using a biometric method pin or pattern to create the passkey the passkey provider creates a passkey and returns a public key credential to the frontend resolving the promise the frontend sends the generated public key credential to the backend the backend stores the public key and other important data for future authentication the backend notifies the user for example using email to confirm the passkey creation and detect potential unauthorized access this process ensures a secure and seamless passkey registration process for users compatibilities most browsers support webauthn with some minor gaps see passkeys dev for browser and os compatibility details create a new passkey to create a new passkey this is the process the frontend should follow check for compatibility fetch information from the backend call webauth api to create a passkey send the returned public key to the backend save the credential the following sections show how you can do it check for compatibility before displaying a create a new passkey button the frontend should check if the browser supports webauthn with publickeycredential browser support 67 18 60 13 source the browser supports capability detection with publickeycredential getclientcapabilities browser support 133 133 135 17 4 source the browser supports webauthn conditional ui with conditionalget the device supports a platform authenticator can create a passkey and authenticate on the device with passkeyplatformauthenticator the following code snippet shows how you can check for compatibility before displaying the passkey related options if window publickeycredential publickeycredential getclientcapabilities const capabilities await publickeycredential getclientcapabilities if capabilities conditionalget true capabilities passkeyplatformauthenticator true the browser supports passkeys and the conditional ui in this example the create a new passkey button should only be displayed if all the conditions are met fetch information from the backend when the user clicks the button fetch the required information from the backend to call navigator credentials create the following code snippet shows a json object with the required information to call navigator credentials create example publickeycredentialcreationoptions contents challenge rp name example id example com user id name john78 displayname john pubkeycredparams alg 7 type public key alg 257 type public key excludecredentials id type public key transports internal authenticatorselection authenticatorattachment platform requireresidentkey true the key value pairs in the object hold the following information challenge a server generated challenge in arraybuffer for this registration rp id an rp id relying party id a domain and a website can specify either its domain or a registrable suffix for example if an rp s origin is https login example com 1337 the rp id can be either login example com or example com if the rp id is specified as example com the user can authenticate on login example com or on any subdomains on example com see allow passkey reuse across your sites with related origin requests for more information on this rp name the rp s relying party name this is deprecated in webauthn l3 but included for compatibility reasons user id a unique user id in arraybuffer generated upon account creation it should be permanent unlike a username that may be editable the user id identifies an account but should not contain any personally identifiable information pii you likely already have a user id in your system but if needed create one specifically for passkeys to keep it free of any pii user name a unique identifier for the account that the user will recognise like their email address or username this will be displayed in the account selector user displayname a required more user friendly name for the account it need not be unique and could be the user s chosen name if your site does not have a suitable value to include here pass an empty string this may be displayed on the account selector depending on the browser pubkeycredparams specifies the rp relying party supported public key algorithms we recommend setting it to alg 7 type public key alg 257 type public key this specifies support for ecdsa with p 256 and rsa pkcs 1 and supporting these gives complete coverage excludecredentials a list of already registered credential ids prevents registering the same device twice by providing a list of already registered credential ids the transports member if provided should contain the result of calling gettransports during the registration of each credential authenticatorselection authenticatorattachment set this to platform along with hint client device if this passkey creation is an upgrade from a password for example in a promotion after a sign in platform indicates that the rp wants a platform authenticator an authenticator embedded to the platform device which does not prompt for example to insert a usb security key the user has a simpler option to create a passkey authenticatorselection requireresidentkey set it to a boolean true a discoverable credential resident key stores user information to the passkey and lets users select the account upon authentication authenticatorselection userverification indicates whether a user verification using the device screen lock is required preferred or discouraged the default is preferred which means the authenticator may skip user verification set this to preferred or omit the property caution when userverification is set to preferred authenticators may skip the user verification check this can happen if the device lacks biometric sensors the user hasn t set it up no enrolled fingerprints or if the sensor is temporarily unavailable for example laptop running with the lid closed the uv bit in the authenticator data of the response indicates whether user verification was performed if it is off and you require additional verification prompt the user for a second factor for example a password alternatively set userverification to required but be aware this may lead to a confusing user experience depending on the platform for more details see userverification deep dive we recommend constructing the object on the server encoding the arraybuffer with base64url and fetching it from the frontend this way you can decode the payload using publickeycredential parsecreationoptionsfromjson and pass it directly to navigator credentials create the following code snippet shows how you can fetch and decode the information needed to create the passkey fetch an encoded pubickeycredentialcreationoptions from the server const _options await fetch webauthn registerrequest deserialize and decode the publickeycredentialcreationoptions const decoded_options json parse _options const options publickeycredential parsecreationoptionsfromjson decoded_options call webauthn api to create a passkey call navigator credentials create to create a new passkey the api returns a promise waiting for the user s interaction displaying a modal dialog browser support 60 18 60 13 source invoke webauthn to create a passkey const credential await navigator credentials create publickey options send the returned public key credential to the backend after the user is verified using the device s screen lock a passkey is created and the promise is resolved returning a publickeycredential object to the frontend the promise can be rejected for different reasons you can handle these errors by checking the error object s name property invalidstateerror a passkey already exists on the device no error dialog will be shown to the user the site shouldn t treat this as an error the user wanted the local device registered and it is notallowederror the user has canceled the operation aborterror the operation has been aborted other exceptions something unexpected happened the browser shows an error dialog to the user the public key credential object contains the following properties id a base64url encoded id of the created passkey this id helps the browser to determine whether a matching passkey is in the device upon authentication this value must be stored in the database on the backend rawid an arraybuffer version of the credential id response clientdatajson an arraybuffer encoded client data response attestationobject an arraybuffer encoded attestation object this contains important information such as an rp id flags and a public key authenticatorattachment returns platform when this credential is created on a passkey capable device type this field is always set to public key encode the object with the tojson method serialize it with json stringify then send it to the server encode and serialize the publickeycredential const _result credential tojson const result json stringify _result encode and send the credential to the server for verification const response await fetch webauthn registerresponse method post credentials same origin body result save the credential after receiving the public key credential on the backend we recommend using a server side library or a solution instead of writing your own code to process a public key credential you can then store the information retrieved from the credential to the database for future use the following list includes recommended properties to save credential id the credential id returned with the public key credential credential name the name of the credential name it after the passkey provider it s created by which can be identified based on the aaguid user id the user id used to create the passkey public key the public key returned with the public key credential this is required to verify a passkey assertion creation date and time record the date and time of the passkey creation this is useful to identify the passkey last used date and time records the last date and time when the user used the passkey to sign in this is useful to determine which passkey the user has used or not used aaguid a unique identifier of the passkey provider backup eligibility flag true if the device is eligible for passkey synchronization this information helps users identify syncable passkeys and device bound not syncable passkeys on the passkey management page follow more detailed instructions at server side passkey registration signal if the registration fails if a passkey registration fails it may cause confusion to the user if there s a passkey in the passkey provider and available for the user but...

Thumbnail images (randomly selected): * Images may be subject to copyright.