Where does credential management api store webauthn related data

Question

WebAuthn includes an extension of the credential management api that allows you to work with public keys. I can go to the chrome settings and check managed passwords to see which username/passwords i have chosen to store in the browser using the credential management api. Few questions related to webauthn+credential management api combination.

1. What info does browser store when we successfully create a credential?
2. Can we access this info from chrome settings (or some other way)?

Answer 1

It's a loaded question, both answers from thangcao and mackie are to the point, here is a bit more details.

• "Authenticator" is separate from browser -- just to emphasize this.
• Authenticators could be "platform authenticator", built into client devices such as Android phones and Windows Hello or "roaming authenticator", a separate/external piece of hardware, such as Yubikey that you can use on several devices.
• Authenticator is the one to create and store "credentials", which is in public/private key scheme. Browsers can obtain public keys (meant to be public) from authenticators through credential management APIs, but never private keys. Authentcation process is done inside authenticators, browsers simply pass along information between clients(users/app) and authenticators.
• There is no equivalent "password management" on Chrome settings to manage your "WebAuthn private information", because credentials are not in browsers; more so, several browsers could use the same authenticator, with the same set of public/private key credentials.

Last but not least, your question: "Can we access this info from chrome settings (or some other way)?"

Answer: Unless authenticator vendors build some backdoors. If that's the case, the backdoor is not for you, but for hackers to obtain all your private keys.