"WebAuthn Passkeys 登录与安全实践"

WebAuthn Passkeys 登录与安全实践注册示例（浏览器端）const pubKey = { challenge: Uint8Array.from(window.crypto.getRandomValues(new Uint8Array(32))), rp: { name: 'Example Inc.' }, user: { id: Uint8Array.from([1,2,3]), name: '[email protected]', displayName: 'User' }, pubKeyCredParams: [{ type: 'public-key', alg: -7 }], // ES256 authenticatorSelection: { userVerification: 'preferred' }, }; const cred = await navigator.credentials.create({ publicKey: pubKey }); 验证示例const req = { challenge: Uint8Array.from(window.crypto.getRandomValues(new Uint8Array(32))), allowCredentials: [{ type: 'public-key', id: storedId }], userVerification: 'preferred', }; const assertion = await navigator.credentials.get({ publicKey: req }); 服务器验证要点验证 `clientDataJSON` 的 `type` 与 `challenge`验证 `authenticatorData` 的 `rpIdHash` 与 `flags`使用注册时的公钥验证 `signature`兼容注意iOS/macOS/Android 支持 Passkeys，不同平台的发现与同步存在差异总结WebAuthn 提供更强的抗钓鱼与抗重放能力，Passkeys 进一步降低用户登录摩擦。