I am using passkey for my app, but the user can register over and over again with the same device, so it's too bad for us and we cannot find a way to limit one user only register one account, we cannot get the device id or any unique identifier just like phone number. so how to solve it?
How to limit use to register 10000000 Passkey?
It's unclear whether you're trying to prevent people from creating multiple accounts, or create multiple passkeys for a single account.
It's generally not possible (or a good idea) to prevent users from creating multiple distinct accounts from a single device. A device is not a credential, nor is it guaranteed to represent a single human. There are many legitimate reasons that a user may have multiple accounts for a service, and people frequently share access to devices. People also frequently have multiple devices and expect their accounts to work across all of them. Passkeys cannot be bound to a device or tied to a unique human identifier.
If you want prevent a user from creating multiple passkeys for a single account on a device, that is fully supported. While accounts supporting passkeys should allow you to have multiple passkeys for the same account (e.g. if you have an iPhone and a Windows PC, each may have their own passkey for the same account), it doesn't make sense to have multiple passkeys for the same account on the same device. For that, passkeys have a concept known as the userHandle
or userID
. This is a unique identifier for the account that the passkey is bound to, and should be the same for all passkeys for a single account. When a user registers a second passkey for an account on a device that already has a passkey for that account (i.e. the userHandle matches), the original passkey will be overwritten with the new one.
in our app we will give 1000 dollars per account, we i have to limit the user to register many accounts. the userID you said, how to set it with device id or icloud id? now we use userid just the same with username. I also found there is a aaguid for authenticator, but we got "aaguid": "00000000-0000-0000-0000-000000000000" from iphone.