WebAuthn now offers enhanced credential protection through the residentKey option. Developers can specify whether credentials should be discoverable, preventing snooping users from seeing registered accounts. This addresses a security gap where physical access to authenticators could reveal all registered credentials, especially problematic for security keys where possession alone often suffices for access.

The CTAP 2.1 specification introduces the credentialProtectionPolicy extension with three levels: userVerificationOptional allows discovery without verification; userVerificationOptionalWithCredentialIDList requires verification for discovery but not for use if ID is provided; and userVerificationRequired mandates verification for both discovery and use. The enforceCredentialProtectionPolicy input ensures operation fails if the authenticator doesn't support the specified security level.

Browser support varies, with Chrome and Firefox implementing these features while Safari ignores them. Chrome applies default values based on settings—using userVerificationOptionalWithCredentialIDList when residentKey is preferred or required, and userVerificationRequired when both residentKey is required and user verification is preferred. This behavior helps prevent unauthorized access through physical possession of authenticators.