When excludeCredentials is enabled, a list of credential identifying information of previously generated credentials is sent to the Authenticators during registration. The Authenticator will check if any of these credentials were generated independently; and if not, reject the operation. This avoids having an Authenticator needlessly create another credential for the same account and RP. A user with multiple credentials for the same account does not add any more functionality than having a signed credential; the user will use their username and Authenticator to authenticate themselves in the same fashion with a single credential associated with their account.

• enabled: Sends a list of information of credentials to avoid duplicate credential creation.
• disabled: Sends a list of information of credentials; potential for duplicate credential creation.