You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: files/en-us/web/api/web_authentication_api/webauthn_extensions/index.md
+18-6Lines changed: 18 additions & 6 deletions
Original file line number
Diff line number
Diff line change
@@ -442,8 +442,9 @@ For example, the definition below might be used when creating a new credential i
442
442
});
443
443
```
444
444
445
-
The optional `second` property can be used if two random values need to be created for a credential.
446
-
For example, this might be used in workflows where the encryption key is rotated on each session.
445
+
The optional `second` property can be used if two random values need to be created for a credential, such as in workflow where the encryption key is rotated on each session.
446
+
As an example of such a workflow, in each session you pass two salts: the `first` salt returns a value that can be used to decrypt the previous session data, while the `second` salt returns a value that can be used to encrypt this session data.
447
+
In subsequent sessions the `second` salt is moved to the position of the `first` salt, so the lifetime where a particular salt can be usefully compromised is bounded.
447
448
448
449
```js
449
450
{
@@ -490,7 +491,6 @@ The `get()` call may reject with the following exceptions:
490
491
#### Output
491
492
492
493
A successful `create()` call provides the following extension output if the registered credential supports using the PRF when creating credentials.
493
-
Note that `enabled` is only present as an output for `create()`, and that `first` and `second` contain the result of evaluating `first` and `second` on the input.
494
494
495
495
```js
496
496
{
@@ -501,7 +501,10 @@ Note that `enabled` is only present as an output for `create()`, and that `first
501
501
};
502
502
```
503
503
504
-
If the authenticator doesn't support using the PRF on creation, the output will look like this:
504
+
The `enabled` property indicates whether the PRF can be used when creating credentials.
505
+
The `first` and `second` properties contain the result of evaluating `first` and `second` on the input, and `second` will be omitted if the corresponding input was not specified.
506
+
507
+
If the authenticator doesn't support using the PRF on creation, the output on `create()` will look like this:
505
508
506
509
```js
507
510
{
@@ -511,8 +514,8 @@ If the authenticator doesn't support using the PRF on creation, the output will
511
514
};
512
515
```
513
516
514
-
A `get()` returns a `prf` object that does not include the `enabled` key.
515
-
The values are otherwise as for the create call.
517
+
A `get()` returns a same `prf` object with the same structure as `create()`, except that it omits the `enabled` key.
518
+
The object contains PRF values that correspond to the inputs for the credential that was selected by the user.
516
519
517
520
```js
518
521
{
@@ -522,6 +525,15 @@ The values are otherwise as for the create call.
522
525
};
523
526
```
524
527
528
+
Note that `enabled` is only present as an output for `create()`, and indicates if PRF is supported by the authenticator when a credential is created.
529
+
If the authenticator doesn't support PRF at all, the result for the `get()` call will be:
530
+
531
+
```js
532
+
{
533
+
prf: {},
534
+
};
535
+
```
536
+
525
537
## Specifications
526
538
527
539
There are a number of places that WebAuthn extensions are specified. IANA's [WebAuthn Extension Identifiers](https://www.iana.org/assignments/webauthn/webauthn.xhtml#webauthn-extension-ids) provides a registry of all extensions, but bear in mind that some may be deprecated.
0 commit comments