All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

Understanding WebAuthn credential protection policy and discoverable credentials

By

mooreds

7d ago· 3 min readenInsight
Bagel score 75 of 100
75/100
Toasty
Bagelometer

A second-rack bagel that's nearly first-rack. Tasty stuff.

Score75TypeanalysisSentimentneutral

Summary

This article explains the WebAuthn credential protection policy, specifically how developers can use the `residentKey` option to control whether credentials are discoverable. It discusses the limitations of relying parties in controlling when or how credentials can be discovered, and the need for user verification before making credentials discoverable to prevent account snooping.

Key quotes

· 3 pulled
When creating a WebAuthn credential, you can specify whether it should be discoverable using the residentKey option.
However, the relying party cannot control when or how the credential can be discovered.
You may want it to become discoverable only after user verification and hide the account's existence from snooping users.
Snippet from the RSS feed
Pilcrow's personal website.

You might also wanna read

Let's Encrypt's Challenge: Creating Intentionally Broken Certificates for Testing

Let's Encrypt, as a Certificate Authority, faces unique challenges in testing certificate validation systems. While most tools focus on main

letsencrypt.org·1mo ago

Website Uses Anubis Proof-of-Work System to Protect Against AI Scraping

The article explains that the website uses Anubis, a Proof-of-Work system similar to Hashcash, to protect against AI companies aggressively

wesnoth.org·1mo ago

Firefox 148 Introduces Standardized Sanitizer API for Enhanced XSS Protection

Firefox 148 introduces the standardized Sanitizer API as a security enhancement to protect against cross-site scripting (XSS) attacks. The n

hacks.mozilla.org·3mo ago

Understanding OAuth: The Historical Requirements and Design Rationale

The article is a response to a request for a Matt Levine-style explanation of OAuth, focusing not on the technical mechanics but on understa

leaflet.pub·3mo ago

Website Blocks Old Browsers to Combat LLM Training Crawlers

A website owner explains that visitors are seeing an error message because their browsers are being blocked by anti-crawler measures. The si

utcc.utoronto.ca·3mo ago

Website Implements Anubis Proof-of-Work System to Block AI Scraping

The article explains that the website is using Anubis, a Proof-of-Work system similar to Hashcash, to protect against AI companies aggressiv

git.kernel.org·4mo ago