WebAuthn Passkeys 登录与安全实践

WebAuthn Passkeys 登录与安全实践注册示例（浏览器端）const pubKey = {

challenge: Uint8Array.from(window.crypto.getRandomValues(new Uint8Array(32))),

rp: { name: 'Example Inc.' },

user: { id: Uint8Array.from([1,2,3]), name: '[email protected]', displayName: 'User' },

pubKeyCredParams: [{ type: 'public-key', alg: -7 }], // ES256

authenticatorSelection: { userVerification: 'preferred' },

};

const cred = await navigator.credentials.create({ publicKey: pubKey });

验证示例const req = {

challenge: Uint8Array.from(window.crypto.getRandomValues(new Uint8Array(32))),

allowCredentials: [{ type: 'public-key', id: storedId }],

userVerification: 'preferred',

};

const assertion = await navigator.credentials.get({ publicKey: req });

服务器验证要点验证 `clientDataJSON` 的 `type` 与 `challenge`验证 `authenticatorData` 的 `rpIdHash` 与 `flags`使用注册时的公钥验证 `signature`兼容注意iOS/macOS/Android 支持 Passkeys，不同平台的发现与同步存在差异总结WebAuthn 提供更强的抗钓鱼与抗重放能力，Passkeys 进一步降低用户登录摩擦。