The PRF extension to WebAuthn allows a hash message authentication code (HMAC), stored on the security key, to be evaluated when getting a credential. This can be used to derive secret keys used to encrypt user data.



Specification link

Unknown standards status - check spec link for status

Status in Chromium


On hold (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signals


Intent to Prototype url

Intent to Prototype thread

Search tags

webauthn, prf, hmac,

Last updated on 2021-12-17