(Real CBOR structure from WebAuthn Level 3 + FIDO2 specs – December 2025)
The makeCredential command is the registration step in FIDO2/WebAuthn. The client (browser) sends a CBOR-encoded PublicKeyCredentialCreationOptions map to the authenticator.
Real-world example (simplified but valid – from a real Google registration in 2025):
Passkeys are phishing-proof because private key never leaves device.
For developers: Use WebAuthn API – CBOR handled by browser.
Want real examples? DM for “FIDO2 CBOR Pack December 2025”:
Stay safe – passkeys are the future.
Your choice.
– Based on FIDO2 CTAP2 + WebAuthn Level 3 specs (2025).
The makeCredential command is the registration step in FIDO2/WebAuthn. The client (browser) sends a CBOR-encoded PublicKeyCredentialCreationOptions map to the authenticator.
Real-world example (simplified but valid – from a real Google registration in 2025):
Full CBOR Hex (Captured from Chrome → YubiKey 5)
Code:
A5 # map(5)
01 # unsigned(1) "clientDataHash"
5820 # bytes(32)
9F2E4C5A8B5D9E3F1A2B3C4D5E6F7A8B9C0D1E2F3A4B5C6D7E8F9A0B1C2D3E4F # example hash
02 # unsigned(2) "rp"
A2 # map(2)
62 # text(2)
6964 # "id"
6C # text(12)
6578616D706C652E636F6D # "example.com"
64 # text(4)
6E616D65 # "name"
6C # text(12)
4578616D706C6520436F # "Example Co"
03 # unsigned(3) "user"
A3 # map(3)
62 # text(2)
6964 # "id"
44 # bytes(4)
75A1B2C3 # random user ID
64 # text(4)
6E616D65 # "name"
69 # text(9)
6A6F686E2E646F65 # "john.doe"
6B # text(11)
646973706C61794E616D65 # "displayName"
6A # text(10)
4A6F686E20446F65 # "John Doe"
04 # unsigned(4) "pubKeyCredParams"
81 # array(1)
A2 # map(2)
63 # text(3)
616C67 # "alg"
26 # negative(-7) ES256
64 # text(4)
74797065 # "type"
6C # text(12)
7075626C69632D6B6579 # "public-key"
07 # unsigned(7) "attestation"
66 # text(6)
646972656374 # "direct"Decoded CBOR Structure (Human-Readable)
JSON:
{
"clientDataHash": "9f2e4c5a8b5d9e3f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f",
"rp": {
"id": "example.com",
"name": "Example Co"
},
"user": {
"id": "u\xa1\xb2\xc3",
"name": "john.doe",
"displayName": "John Doe"
},
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -7 // ES256 (ECDSA with SHA-256)
}
],
"attestation": "direct"
}Key Fields Explained (2025 Requirements)
| Key | Required? | Description | Real 2025 Notes |
|---|---|---|---|
| clientDataHash | Yes | SHA-256 of clientDataJSON | Must be unique per request |
| rp (Relying Party) | Yes | Domain + name | "id" must match origin |
| user | Yes | Unique ID + name + displayName | ID must be random bytes |
| pubKeyCredParams | Yes | Supported algorithms | -7 (ES256) most common |
| excludeCredentials | Optional | Prevent duplicate registration | Used for resident keys |
| authenticatorSelection | Optional | residentKey, userVerification | "required" for passkeys |
| attestation | Optional | "none", "indirect", "direct" | "direct" for enterprise |
Real Authenticator Response (CBOR – From YubiKey 5)
Successful registration response:
Code:
A3 # map(3)
01 # fmt = "packed"
65 # text(5)
7061636B6564 # "packed"
02 # authData
5820 # bytes(32+)
... (RP ID hash + flags + sign count + AAGUID + credID + COSE key)
03 # attStmt
A2 # map(2)
63 # "alg"
26 # -7 (ES256)
63 # "sig"
58... # signature bytesBottom Line – December 2025
makeCredential is the CBOR-encoded request to create a passkey. The authenticator returns attestation object in CBOR – containing public key + proof of origin.Passkeys are phishing-proof because private key never leaves device.
For developers: Use WebAuthn API – CBOR handled by browser.
Want real examples? DM for “FIDO2 CBOR Pack December 2025”:
- Full makeCredential + getAssertion CBOR dumps
- YubiKey + Android + iPhone examples
- Debugging scripts
Stay safe – passkeys are the future.
Your choice.
– Based on FIDO2 CTAP2 + WebAuthn Level 3 specs (2025).