Prevent creation of a new passkey if one already exists

To prevent creating a new passkey if one already exists in the same passkey provider, use the optional excludeCredentials property of WebAuthn's PublicKeyCredentialCreationOptions dictionary.

The excludeCredentials property is an array of descriptors for public keys that already exist for a given user. This information is supplied by the relying party's server when it wants to prevent the creation of new credentials for an existing user on a single authenticator.

The excludeCredentials array has the following attributes:

  • type: A string that describes the type of public-key credential to be generated. The default value is "public-key".
  • id: An ArrayBuffer that matches an existing public key credential identifier (PublicKeyCredential.rawId). This identifier is generated during the creation of the PublicKeyCredential instance.

The client returns an error if the user tries to create a new credential on a platform authenticator that already contains one of the credentials listed in this parameter. If the authenticator already contains a public key credential of this type, the authenticator collects user consent as usual, and shows the user a success indicator with no new credential created. An InvalidStateError exception is thrown, indicating that the user already has a valid credential matched from excludeCredentials.

"excludeCredentials": [
   
{"id": "<id-1>", "type": "public-key"},
   
{"id": "<id-2>", "type": "public-key"}
 
]

This JSON can be used to prevent authenticators with one of the provided credentials from being registered more than once. Each "<id-*>" value should be populated with the identifier of the credential to be excluded.

Learn more about excludeCredentials in the W3C recommendation