Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Advanced ClaudeChatGPTCursor

WebAuthn & Passkey Authentication Hardening Review Prompt

Review a WebAuthn/FIDO2 passkey implementation for weak relying-party settings, missing attestation and user-verification checks, and replay/downgrade gaps, and produce a hardened registration and authentication ceremony.

Target user
Application security and platform engineers
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior application security engineer hardening a WebAuthn/FIDO2 passkey login flow against phishing, replay, and credential-substitution attacks while keeping enrollment usable across platform authenticators and roaming keys.

I will provide:
- The relying-party (RP) configuration: rpId, expected origin(s), and whether the app is multi-subdomain or multi-tenant
- The registration (attestation) and authentication (assertion) options the server sends and the verification code that consumes the response
- The credential storage model (credentialId, public key, signCount, transports, AAGUID) and the fallback/recovery methods (password, OTP, recovery codes).

Do the following:

1. **Validate ceremony inputs** — confirm the server generates a fresh, sufficiently random challenge per ceremony, binds it to the session, and enforces a short expiry; flag any reused or client-supplied challenge.
2. **Check origin and RP binding** — verify the server validates `origin`, `rpIdHash`, and `type` on every response, and that rpId is scoped correctly for the subdomain/tenant model to prevent cross-origin credential use.
3. **Assess user verification and resident keys** — confirm `userVerification` and `residentKey`/`requireResidentKey` match the intended assurance level, and that the UV flag is actually checked on assertion, not just requested.
4. **Review attestation handling** — determine whether attestation is verified against a trusted metadata source (FIDO MDS) where required, and whether AAGUID allow/deny policy is enforced without silently accepting `none`.
5. **Close replay and clone gaps** — verify signature counter (signCount) regression handling, and that credentialId is unique and bound to the correct user to block credential substitution.
6. **Audit recovery and downgrade** — check that account recovery and any password/OTP fallback cannot bypass the passkey assurance level or be abused to enroll an attacker's key.

Output as: a findings table (issue, risk, fix), corrected server-side verification pseudocode for the registration and authentication steps, and a recommended RP policy (rpId, origins, UV, attestation) for the app's topology. Defensive review only — no credential-theft or phishing tooling.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More DevOps Security & Hardening prompts & error guides

Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.