Users tired of repeated PIN prompts |
Tokens were temporary and session-based. Discovering credentials often required a new PIN entry for each attempt. |
Persistent PIN/UV Auth Tokens (PPUATs) |
Allows applications to reuse PIN/UV authentication for credential discovery without re-prompting, creating a smoother user experience. |
Enterprises need stronger PIN rules |
Set Minimum PIN Length |
PIN Complexity Policies |
Enforce longer or more complex PINs at the hardware level to meet compliance requirements like NIST SP 800-63B. |
Expanding passwordless to regulated payments |
Experimental SPC support |
thirdPartyPayment Extension |
Enables Secure Payment Confirmation (SPC) across domains, critical for standards like PSD2 and card network compliance. |
Richer, safer credential lifecycle management |
Basic credential management existed, but platforms had limited ability to query metadata without user verification. |
Persistent Credential Management – Read-only (pcmr) permission |
Lets applications query stored credentials with more detail for auditing or UI improvements, without granting destructive permissions. |
Applications needing per-service secrets |
A secret could be derived from a single credential, but this was a distinct step. |
hmac-secret-mc / PRF |
Provides scoped secrets tied to credentials during creation, useful for secure local storage or encrypted app data. |
Mitigating risk of unlocked, unattended authenticators |
N/A |
Always-Require-User-Verification (alwaysUv) |
A configurable state that forces user verification (PIN/biometric) on all sensitive operations, critical for high-assurance environments. |
Enabling advanced key agreement protocols |
N/A |
ARKG extension |
Enables asynchronous remote key generation, allowing authenticators to generate key pairs where the private key remains on the device while the public key can be computed remotely, supporting advanced cryptographic protocols. |
Enterprises managing multiple IdPs or test/prod environments |
2 RPIDs |
Increased RPID storage for Enterprise Attestation to 16 |
Simplifies deployment and management across complex corporate environments by allowing a single key to be attested for multiple services. |
Richer authenticator metadata |
Provided basic information like supported versions and algorithms. |
New getInfo properties |
Applications can query authenticator capabilities like UV counters, attestation formats, and max PIN length to adapt their UX dynamically. |