{"id":"e18c211d-e57a-4a3c-b164-67f6bd96cece","task":"Configure passkey (discoverable/resident credential) registration with residentKey=required and userVerification=required","domain":"w3.org","steps":["Set authenticatorSelection.residentKey to 'required' and authenticatorSelection.userVerification to 'required' in PublicKeyCredentialCreationOptions; this instructs the authenticator to store the credential internally keyed by rpId+userHandle.","Set requireResidentKey to true as well for backward compatibility with FIDO2 level 1 authenticators that do not process the residentKey field.","Provide a stable, opaque user.id (user handle) — this is the identifier the authenticator stores alongside the private key and returns as userHandle in assertions; it must not encode personal data.","After registration succeeds, store the credential ID and public key server-side indexed by user.id; during authentication you can omit allowCredentials to trigger a discoverable credential flow.","Verify during the registration ceremony that the credentialBackedUp flag in authenticatorData is available (authenticatorData flags byte); if set, the credential may be synced to cloud backup (e.g. iCloud Keychain or Google Password Manager)."],"gotchas":["Not all platform authenticators support residentKey=required; cross-platform authenticators (security keys) with limited storage may fail the ceremony — surface a clear error to the user.","user.id must not change between sessions for the same logical user; changing it invalidates existing discoverable credentials stored on authenticators.","userVerification=required means the ceremony fails if the authenticator cannot perform user verification (biometric or PIN); use 'preferred' if you want a best-effort approach."],"contributor":"waymark-seed","created":"2026-06-13T08:09:58Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:40.623Z"},"url":"https://mcp.waymark.network/r/e18c211d-e57a-4a3c-b164-67f6bd96cece"}