Passkey Credential
Data Entity
Description
Stores WebAuthn/FIDO2 passkey credentials registered by users for phishing-resistant passwordless authentication. Each record represents one authenticator device registration for a user.
Data Structure
| Name | Type | Description | Constraints |
|---|---|---|---|
id |
uuid |
Primary key | PKrequiredunique |
user_id |
uuid |
Foreign key to users table | required |
credential_id |
string |
Base64url-encoded credential ID issued by the authenticator (WebAuthn credentialId) | requiredunique |
public_key |
text |
COSE-encoded public key from the authenticator, stored as base64url string | required |
aaguid |
string |
Authenticator Attestation GUID — identifies the authenticator model/type (e.g. platform vs cross-platform) | - |
sign_count |
integer |
Monotonic signature counter from authenticator; used to detect cloned credentials | required |
transports |
json |
Array of AuthenticatorTransport values (e.g. ['internal'], ['usb','nfc']); used to optimize future assertion requests | - |
device_name |
string |
User-supplied or auto-detected label for the authenticator device (e.g. 'iPhone 15', 'YubiKey 5') | - |
backed_up |
boolean |
Whether the authenticator reports the credential is backed up (synced passkey) per WebAuthn BE flag | required |
user_verified |
boolean |
Whether user verification (biometric/PIN) was performed at registration time | required |
attestation_object |
text |
Raw base64url-encoded attestation object from registration, retained for audit and future attestation verification | - |
last_used_at |
datetime |
Timestamp of most recent successful authentication with this credential | - |
created_at |
datetime |
Registration timestamp | required |
revoked_at |
datetime |
Soft-delete timestamp; null means active. Set when user removes a passkey or admin revokes it. | - |
revocation_reason |
enum |
Reason credential was revoked | - |
Database Indexes
idx_passkey_credentials_credential_id
Columns: credential_id
idx_passkey_credentials_user_id
Columns: user_id
idx_passkey_credentials_user_active
Columns: user_id, revoked_at
Validation Rules
credential_id_format
error
Validation failed
public_key_non_empty
error
Validation failed
sign_count_non_negative
error
Validation failed
unique_credential_id_globally
error
Validation failed
user_exists
error
Validation failed
device_name_length
error
Validation failed
Business Rules
max_credentials_per_user
A user may register at most 10 active passkey credentials to prevent abuse while allowing multiple devices
sign_count_monotonic
On each authentication, the incoming sign_count must be greater than the stored value. If equal or less, the credential is suspected cloned and must be revoked immediately.
user_verification_required
Authentication assertions must include UV=true (user verification performed). Credentials registered without user verification cannot be used for sign-in.
revoked_credential_blocked
Any credential with revoked_at set must be rejected during authentication regardless of cryptographic validity
cascade_revoke_on_account_deactivation
When a user account is deactivated, all their passkey credentials are soft-deleted with revocation_reason=account_deactivated
audit_on_revocation
Every credential revocation (user-initiated or admin-initiated) must produce an audit log entry