WebAuthn Credential ID Generator

WebAuthn (Web Authentication API, W3C standard) enables passwordless authentication using public-key cryptography. When a user registers a passkey or security key, the authenticator generates a key pair and returns a credential ID — a unique opaque byte sequence that identifies the credential. The server stores the credential ID alongside the public key. During authentication, the server sends the credential ID to prompt the authenticator to sign a challenge with the corresponding private key.

Predictable credential IDs would allow attackers to enumerate registered credentials, potentially discovering which users have registered passkeys and targeted phishing. The FIDO2 specification requires authenticator-generated credential IDs to be indistinguishable from random data. When generating credential IDs server-side for testing or mock authenticators, using a CSPRNG like crypto.getRandomValues() is mandatory.

Base64url is a URL-safe variant of Base64 that replaces + with -, / with _, and omits = padding. WebAuthn uses Base64url because credential IDs must be transmitted as JSON strings in the authenticatorData and clientDataJSON structures. Standard Base64 with + and / characters would require URL encoding in JSON contexts, adding complexity. Base64url keeps the data compact and safe for URLs, headers, and JSON without escaping.

WebAuthn uses asymmetric cryptography: the private key never leaves the authenticator (hardware security key or platform authenticator like Face ID/Touch ID), so there is nothing to steal from the server. The server stores only the public key and credential ID. Authentication proves possession of the private key by signing a server-generated challenge. Even if the server is breached, attackers gain only public keys — useless without the private key on the user’s device.