The PRF extension to WebAuthn allows a hash message authentication code (HMAC), stored on the security key, to be evaluated when getting a credential. This can be used to derive secret keys used to encrypt user data.



Editor's draft

Status in Chromium


In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • Positive
  • No signal
  • No signals


Intent to Prototype url

Intent to Prototype thread

Search tags

webauthn, prf, hmac,

Last updated on 2021-05-30