Skip to main content

Enhancing Web Security with the Permissions-Policy Publickey-Credentials-Get Directive

The Permissions-Policy directive (formerly known as Feature-Policy) is a critical security tool that allows website owners to control which browser features and APIs their web pages can access.

One of the most significant and security-sensitive directives within this policy is the "publickey-credentials-get" directive, which governs access to the WebAuthn API—an API that enables secure authentication using public-key cryptography. This API is essential for implementing modern, passwordless login methods and multi-factor authentication (MFA), where credentials are stored on a hardware token, such as a security key, or on the user's device (like biometric sensors).

History and Origin of Permissions-Policy

The Permissions-Policy header was introduced by Google in 2018 under the name Feature-Policy to allow developers to exercise more granular control over browser features. As web applications became increasingly sophisticated, accessing more powerful APIs and hardware features, the need for tighter controls to prevent misuse grew.

The publickey-credentials-get directive was added as part of the security measures to protect access to the WebAuthn API, which facilitates secure, passwordless authentication using public key cryptography. WebAuthn was introduced by the World Wide Web Consortium (W3C) and the FIDO Alliance as part of a global effort to eliminate the weaknesses of traditional passwords, such as susceptibility to phishing and credential theft. However, the sensitive nature of this API—since it handles authentication credentials—meant that strict controls were needed to prevent malicious or unauthorised use.

What Does the Publickey-Credentials-Get Directive Do?

The "publickey-credentials-get" directive controls whether a website can access the Web Authentication (WebAuthn) API, which enables websites to perform secure, passwordless logins using public-key cryptography. This API supports authentication methods like hardware security keys (such as YubiKeys) or built-in device authentication (such as Windows Hello or Apple Face ID/Touch ID).

For example:

  • Setting publickey-credentials-get=() will block all access to the WebAuthn API, preventing the site and any third-party content from initiating passwordless or multi-factor authentication.
  • Setting publickey-credentials-get=* allows the website and all its embedded content (such as iframes or third-party scripts) to request WebAuthn credentials, which can pose security risks if not carefully controlled.

This directive provides website owners with the ability to ensure that only trusted components of their site can initiate authentication processes, preventing misuse of highly sensitive credential data.

Why Was It Added?

The publickey-credentials-get directive was introduced to address several critical concerns related to secure authentication and the protection of user credentials:

  1. Preventing Unauthorised Access to WebAuthn: The WebAuthn API enables websites to access sensitive credential data stored in hardware security tokens or on users’ devices. Without the proper controls, malicious websites or third-party scripts could attempt to initiate authentication requests or harvest credentials. By controlling access to the WebAuthn API through the publickey-credentials-get directive, developers can prevent unauthorised entities from using this powerful authentication method.

  2. Mitigating Phishing and Credential Theft: Traditional password-based authentication is vulnerable to phishing attacks, where users are tricked into providing their login credentials to malicious actors. The WebAuthn API is designed to protect against these attacks by using public-key cryptography that binds credentials to specific websites, making it difficult for attackers to reuse them. However, if unauthorised or untrusted content can access the WebAuthn API, there is still a risk of phishing-style attacks that trick users into providing credentials. The publickey-credentials-get directive helps mitigate this risk by ensuring that only trusted parts of a website can initiate WebAuthn requests.

  3. Strengthening User Privacy and Security: When a website requests access to a user’s authentication credentials, it is accessing highly sensitive information. Misuse of the WebAuthn API could compromise user privacy or even lead to identity theft. The publickey-credentials-get directive ensures that access to this API is carefully controlled, protecting users from potential misuse and strengthening the overall security of the website.

Use Cases It Guards Against

The publickey-credentials-get directive is essential for protecting against several problematic scenarios:

  1. Unauthorised Authentication Requests: Without the proper restrictions, malicious third-party content or compromised websites could attempt to initiate authentication requests through the WebAuthn API. This could lead to the theft or misuse of credentials. By restricting access through the publickey-credentials-get directive, website owners can prevent untrusted content from making these requests.

  2. Phishing Attacks Using WebAuthn: Even though WebAuthn is designed to protect against phishing by binding credentials to specific domains, attackers could still try to deceive users into completing authentication requests for fraudulent websites. By properly configuring the publickey-credentials-get directive, website owners can ensure that only trusted, first-party content can trigger WebAuthn requests, reducing the risk of phishing attacks.

  3. Third-Party Misuse of Authentication Credentials: Many websites embed third-party content, such as social media widgets, analytics tools, or advertisements, which could potentially request access to sensitive features like the WebAuthn API. If these third-party elements are not trusted, they could misuse the API to collect or manipulate user authentication data. The publickey-credentials-get directive prevents such misuse by ensuring that only authorised content can interact with the WebAuthn API.

  4. Privacy Violations: Misusing the WebAuthn API could expose users to privacy risks, as their authentication methods (such as biometric data or security key usage) are linked to their identity. Ensuring that access to this API is restricted to trusted content helps maintain user privacy and prevents unauthorised access to this sensitive data.

Why Should You Set Permissions-Policy Publickey-Credentials-Get Correctly?

There are several compelling reasons why website owners should configure the publickey-credentials-get directive properly:

  1. Protecting User Authentication Data: Authentication credentials are highly sensitive, and misuse of the WebAuthn API could lead to data theft, unauthorised access, or even identity theft. By setting the publickey-credentials-get directive to restrict access, website owners can ensure that only trusted parts of their site can initiate authentication requests, protecting users from credential theft.

  2. Preventing Phishing Attacks: WebAuthn is an important tool in the fight against phishing, but if unauthorised content can access this API, it could still be exploited for phishing-style attacks. Configuring the publickey-credentials-get directive correctly helps prevent untrusted third-party content from misusing the API, reducing the likelihood of users falling victim to phishing attempts.

  3. Complying with Privacy Regulations: Protecting user data, including authentication credentials, is a requirement under many data protection regulations such as GDPR. Mismanaging access to the WebAuthn API could lead to privacy violations, legal liabilities, and regulatory fines. By enforcing strict controls over who can access this API, website owners can ensure compliance with privacy laws and protect their users’ personal data.

  4. Building Trust with Users: Users expect modern websites to offer secure, passwordless authentication methods, but they also expect their credentials to be handled responsibly. By properly configuring the publickey-credentials-get directive, website owners demonstrate a commitment to protecting user data, helping to build trust and ensure a positive, secure user experience.

  5. Minimising the Attack Surface: Following the principle of least privilege, websites should only allow access to sensitive APIs when absolutely necessary. By restricting the WebAuthn API through the publickey-credentials-get directive, website owners can minimise the attack surface, making it harder for malicious actors to exploit weaknesses and reducing the overall risk to the site.

Conclusion: Ensuring Secure Authentication with Publickey-Credentials-Get

The Permissions-Policy publickey-credentials-get directive is a critical tool for managing access to the WebAuthn API, which facilitates passwordless and multi-factor authentication using public-key cryptography. While this API is essential for enhancing security and reducing reliance on passwords, it also presents significant risks if misused. Properly configuring the publickey-credentials-get directive is vital for preventing unauthorised access to user credentials, mitigating phishing attacks, and ensuring user privacy.

In today’s digital landscape, where secure authentication is increasingly important, setting the publickey-credentials-get directive correctly is not only a best practice but a necessity for protecting users and building trust. By managing access to the WebAuthn API responsibly, website owners can ensure a safe and secure environment for all users, while also maintaining compliance with modern data protection regulations.

Related to this article are the following:

At SoftForge, we are passionate about delivering top-notch web hosting and development services that empower businesses to thrive online. Since our inception, we have been committed to innovation, quality, and customer satisfaction. Our journey is defined by our continuous pursuit of excellence and our desire to stay at the forefront of the digital industry.

From the initial concept to the final execution, we work closely with you to ensure that every aspect of your online presence is tailored to reflect your brand's identity, resonate with your target market, and support your long-term objectives. Together, we can build a digital platform that not only meets but exceeds expectations, turning your vision into a successful reality that drives growth and innovation.

Feel free to use the links below to reach out, discuss your needs, or to schedule a Google meeting with Stacey or Phil.

Contact SoftForge
Book a meeting with Phil
Book a meeting with Stacey