Extension Playground

PRF lets you derive symmetric keys from a passkey authentication -- useful for encryption without server-side key storage. The authenticator uses an internal HMAC-based function seeded with your salt to produce deterministic output.

Large Blob allows storing arbitrary data (up to ~4KB on most authenticators) alongside a credential. Useful for storing certificates, encrypted keys, or small config blobs on the authenticator itself.

credProtect controls credential discoverability on CTAP2 authenticators:

• Level 1 (userVerificationOptional): Default. Credential visible in any assertion.
• Level 2 (userVerificationOptionalWithCredentialIDList): Only discoverable if the RP provides the credential ID in allowList.
• Level 3 (userVerificationRequired): Only usable with user verification (PIN/biometric). Strongest protection.

The minPinLength extension lets the RP request the authenticator's configured minimum PIN length during registration. This can inform the RP about the authenticator's security policy. Only CTAP 2.1+ authenticators with PIN configured will return this value.