WebAuthn 凭证 ID 生成器
指导
WebAuthn 凭证 ID 生成器
Generate cryptographically secure WebAuthn credential IDs in Base64url format, or decode existing credential IDs to inspect their raw bytes. Set the byte length (16–64 bytes), generate multiple IDs in a batch, and decode any Base64url credential ID to see its byte count and hex representation.
如何使用
Set the byte length (32 bytes recommended per FIDO2 spec), choose how many credential IDs to generate, then click 产生. Each ID is displayed in Base64url format with a copy button. Use the decode section to inspect any existing credential ID.
特征
- Configurable length – 16 to 64 bytes (32 bytes recommended by FIDO2)
- 批量生成 – multiple IDs at once
- Credential ID decoder – decode Base64url to hex and byte count
- Base64url output – URL-safe, no padding, ready for WebAuthn APIs
- 加密安全 – 使用
crypto.getRandomValues() - 仅客户端 – IDs never leave your browser
常问问题
-
What is WebAuthn and what is a credential ID?
WebAuthn (Web Authentication API, W3C standard) enables passwordless authentication using public-key cryptography. When a user registers a passkey or security key, the authenticator generates a key pair and returns a credential ID — a unique opaque byte sequence that identifies the credential. The server stores the credential ID alongside the public key. During authentication, the server sends the credential ID to prompt the authenticator to sign a challenge with the corresponding private key.
-
Why must credential IDs be cryptographically random?
Predictable credential IDs would allow attackers to enumerate registered credentials, potentially discovering which users have registered passkeys and targeted phishing. The FIDO2 specification requires authenticator-generated credential IDs to be indistinguishable from random data. When generating credential IDs server-side for testing or mock authenticators, using a CSPRNG like
crypto.getRandomValues()is mandatory. -
What is Base64url encoding and why does WebAuthn use it?
Base64url is a URL-safe variant of Base64 that replaces + with -, / with _, and omits = padding. WebAuthn uses Base64url because credential IDs must be transmitted as JSON strings in the authenticatorData and clientDataJSON structures. Standard Base64 with + and / characters would require URL encoding in JSON contexts, adding complexity. Base64url keeps the data compact and safe for URLs, headers, and JSON without escaping.
-
How does WebAuthn differ from traditional password authentication?
WebAuthn uses asymmetric cryptography: the private key never leaves the authenticator (hardware security key or platform authenticator like Face ID/Touch ID), so there is nothing to steal from the server. The server stores only the public key and credential ID. Authentication proves possession of the private key by signing a server-generated challenge. Even if the server is breached, attackers gain only public keys — useless without the private key on the user’s device.
