---
url: 'https://www.corbado.com/blog/passkeys-privacy'
title: 'Passkeys & Privacy: Misconceptions by Users'
description: 'Learn how passkeys enhance privacy by design, avoid tracking, and protect user like PII'
lang: 'en'
author: 'Alex'
date: '2025-04-02T15:44:31.614Z'
lastModified: '2026-03-27T07:01:16.706Z'
keywords: 'passkey privacy, passkey user anonymous, passkeys privacy, passkey PII, passkey data, passkey personal identifiable information, passkey gdpr, passkey ccpa'
category: 'Authentication'
---
# Passkeys & Privacy: Misconceptions by Users
## Key Facts
- Passkeys are more private than passwords and social logins: biometric data never leaves
the device and unique key pairs per site prevent **cross-site tracking**.
- **Biometric authentication** with passkeys is purely local: fingerprint or face data
unlocks a private cryptographic key on-device and is never transmitted to servers or
third parties.
- Passkeys comply with **GDPR's data minimization principle** by eliminating stored
passwords and using technical identifiers instead of personal information.
- **Key Presence Privacy** ensures servers cannot detect whether a user has passkeys on
their device without explicit user consent.
- Full **CCPA compliance** requires the FIDO Alliance's Credential Exchange Protocol
(CXP), currently in draft status, to be published.
## 1. Introduction: Passkeys and Privacy
When talking about passkeys as a new authentication method, common topics that usually
come up are improved UX, increased security due to
[phishing](https://www.corbado.com/glossary/phishing)-resistant MFA or compelling cost savings that come from
replacement of SMS OTPs and less password / account recovery efforts. However, a rarely
discussed topic in passkey authentication is privacy and that is why there are a lot of
misconceptions around it. In this blog we are going to answer the following questions
related to privacy of passkey authentication:
- How does [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices) work from a privacy
point of view?
- Are passkeys better or worse than passwords for
[user privacy](https://www.corbado.com/faq/ensure-gdpr-compliance-with-passkeys)?
- Which regulations are important when it comes to privacy for authentication?
## 2. Passkey functionality from a privacy point of view
Passkeys are [digital credentials](https://www.corbado.com/blog/digital-credentials-api) based on the
[**WebAuthentication (WebAuthn)**](https://www.corbado.com/glossary/webauthn) standard,
developed by the [**FIDO Alliance**](https://fidoalliance.org/) in collaboration with
major platform providers like Apple, Google, and Microsoft. They replace traditional
passwords with
[**cryptographic key pairs**](https://www.corbado.com/glossary/public-key-cryptography)
that make login both more secure and more convenient and have always been developed with
[user privacy](https://www.corbado.com/faq/ensure-gdpr-compliance-with-passkeys) in mind. When you register for a
website or an app that supports passkeys, the process looks something like this:
### 2.1 Passkey creation and login
1. A unique key pair is generated by your device, with one public key that is stored on
the server and one private key that is securely stored on your device.
2. During the login, the app/website sends a challenge to your device which needs to be
signed by your device with the private key. To get access to the private key,
[biometric authentication](https://www.corbado.com/blog/passkeys-biometric-authentication) might be performed.
3. The server then verifies the signature using the public key to complete the process.
In step 2, when signing the challenge, a false impression might arise for the user, that
this is sending sensitive (biometric) information to the server because
[Face ID](https://www.corbado.com/faq/is-face-id-passkey) or Touch ID might have been used. In reality, quite the
opposite is the truth: The private key and the biometric information never leaves the
user's device. They are just used to sign the challenge locally on the device.
### 2.2 Biometric authentication
On most modern devices, passkeys are protected by biometric methods like
[Face ID](https://www.corbado.com/faq/is-face-id-passkey) or Touch ID. These act as the second factor of
authentication making passkey technology [phishing](https://www.corbado.com/glossary/phishing)-resistant
[2FA](https://www.corbado.com/blog/passkeys-vs-2fa-security)/MFA.
They are used to authorize the use of the private key stored on your device in the
hardware security module ([secure enclave](https://www.corbado.com/glossary/secure-enclave), TPM or TEE).
Biometric data is never part of the passkey itself, instead it is only used to unlock the
hardware security module of the device where the private key is stored
- The biometric check happens locally (it’s the same mechanism when unlocking metrics)
- No biometric data is sent to websites or stored by third parties
## 3. Passkey authentication with privacy by design
Passkeys are developed with **privacy by design in mind. In fact, privacy is a first-class
principle**. The protocols and systems that support passkeys are intentionally built to
avoid sharing non-relevant user data.
### 3.1 No cross-site tracking
A major privacy concern with [social login](https://www.corbado.com/glossary/social-login) systems (like Google
login, Apple login etc.) is the potential for tracking users across websites.
Over time, this allows for tracking of:
- Which websites you visit
- How long you stay on pages
- What products you look at
Passkeys avoid this entirely making them **more private than social logins** by creating
unique keys for each website or app ([relying party](https://www.corbado.com/glossary/relying-party)).
### 3.2 End-to-End encryption
When stored or synced across devices (e.g. via
[iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain) or
[Google Password Manager](https://www.corbado.com/blog/how-to-use-google-password-manager)), passkeys are
**end-to-end encrypted**.
- Only the user can access them.
- Even the cloud provider (e.g. Apple, Google) cannot use, view, or extract the passkeys.
- Encryption ensures that passkeys remain private even during backup and syncing.
This ensures both **security and privacy**, even when data is stored remotely in the
Keychain/Passwords Manager.
### 3.3 User control and transparency
Passkeys are stored:
- **Locally** on a user’s device and
- **Securely backed up** to the user’s chosen cloud service (in case of synced passkeys)
In both cases, users retain control over where their credentials are stored. The storage
is transparent as users know whether syncing is enabled, and which devices have access.
This makes passkeys a strong fit for users who care about data sovereignty and digital
autonomy.
### 3.4 Key presence privacy
**Key Presence Privacy** refers to the property of an authentication system, such as those
using passkeys or WebAuthn, where the **server cannot determine whether a private key
exists on a client device until the user actively attempts to authenticate**. This is an
important protection mechanism that prevents websites from detecting whether a user has
passkeys without explicit user consent and ensures servers cannot probe or scan for
existing passkeys on a device.
In order to ensure best in class UX regardless, Corbado uses **Passkey Intelligence**, a
smart system that optimizes passkey authentication by making smart decisions about when
[passkey login](https://www.corbado.com/blog/passkey-login-best-practices) should be available to the user. This
feature adapts to the users device context and reduces failed authentication attemps for
people who might not have a passkey created.
## 4. Addressing common privacy concerns and misconceptions of users
As with any technology, passkeys raise questions and uncertainties for users. Many
concerns stem from confusion about how the technology works or assumptions based on past
experiences with passwords or biometrics. Especially for passkey rollouts it is important
to educate the users to avoid confusions like these:
### 4.1 “Is my biometric data sent to the website when I log in with a passkey?”
**Misconception:** Websites get access to my fingerprint or face data
**Actual Truth:** No. Biometric data like your fingerprint or facial scan **never
leaves your personal device**. When you use biometrics with a passkey, your device
performs a **local authentication**. If the authentication is successful, the device
unlocks a **private cryptographic key**, which is then used to sign a challenge which is
sent back to the server which then authenticates you to the website.
At no point is your biometric information transmitted, stored externally or exposed to the
app, website or platform provider.
Biometrics serve only as a gatekeeper for the private key of the passkey and the **actual
login happens using secure cryptography**, not personal data.
### 4.2 “Can companies track me across different websites using passkeys?”
**Misconception:** Passkeys make it easier for companies to track my activity
across the web than [social login](https://www.corbado.com/glossary/social-login).
**Actual Truth:** Passkeys are **uniquely generated per website or app**, meaning
each site or app (relying party) gets its own dedicated public-private key pair. There is
no shared identifier or key that links your activity between services.
In fact, passkeys are far more private than using federated logins like “Sign in with
Google” or “Login with [Facebook](https://www.corbado.com/blog/facebook-passkeys),” which do create cross-service
identifiers
### 4.3 “What happens if I lose my phone or laptop? Will I lose all my accounts?”
**Misconception:** If I lose my device, I lose access to everything.
**Actual Truth:** Losing a device doesn’t mean losing your passkeys.
Passkeys are usually backed up through **cloud services** like
[iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain) (Apple) or
[Google Password Manager](https://www.corbado.com/blog/how-to-use-google-password-manager) (or other third-party
password managers). They are synced via **end-to-end encryption**, ensuring only you can
access them. You will still be able to use your passkey from another device, using the
biometrics of that device (or PIN, passcode alternatively).
### 4.4 “Can my employer access my personal passkeys on a work device?”
**Misconception:** My employer can see and control all my passkeys.
**Actual Truth:** Personal and work credentials are **usually separated**. Even if
you use a work-[managed device](https://www.corbado.com/blog/passkeys-managed-ios-android-testing), passkeys for
personal accounts are stored in a different context, need biometrics to be accessed and
cannot be used by your employer. Enterprise device management tools can enforce policies
on work-related data but do not grant access to personal biometric data or passkeys.
### 4.5 “Where are my passkeys actually stored and who controls them?”
**Misconception:** My data is stored on company servers where they can access it
anytime.
**Actual Truth:** Passkeys are stored **locally on your device**, in a hardware
security module (HSM) like the **Trusted Platform Module (TPM)** on Windows, **Trusted
Execution Environment** on [Android](https://www.corbado.com/blog/how-to-enable-passkeys-android) or the **Secure
Enclave** on Apple devices. When passkeys are synced, they are stored in your personal
**cloud account**, such as iCloud or Google. These backups are **end-to-end encrypted**,
meaning not even the cloud provider can access your passkeys.
## 5. Which privacy compliance regulations are fulfilled by passkey authentication?
Passkeys are well-suited for several privacy compliance frameworks due to their inherent
security features and alignment with modern regulatory standards. Some of the frameworks
passkey authentication fulfil are:
### 5.1 Passkeys are GDPR (General Data Protection Regulation) Compliant
- **Data Minimization**: Passkeys reduce the need for storing sensitive data, such as
passwords and even personal identifiers (as they work with technical identifiers),
aligning with GDPR's data minimization principle.
- **Encryption**: Passkeys use public-key cryptography, which supports GDPR's emphasis on
encryption
### 5.2 PSD2 (Revised Payment Services Directive)
**Strong Customer Authentication (SCA)**: Passkeys meet SCA requirements by providing
independent factors of authentication and [phishing](https://www.corbado.com/glossary/phishing) resistance.
Synced passkeys compliance is more nuanced since there is no strict device binding like
with non-synced passkeys. Currently there is no explicit ruling from EBA (European
[Banking](https://www.corbado.com/passkeys-for-banking) Authority) on synced passkeys. Please see our series on
passkeys and [PSD2](https://www.corbado.com/blog/psd2-passkeys) / SCA for more details:
- Device-Bound vs. Synced Passkeys
- Analysis of [PSD2](https://www.corbado.com/blog/psd2-passkeys) & SCA Requirements
- What SCA Requirements Mean for Passkeys
- [PSD3](https://www.corbado.com/blog/psd3-psr-passkeys) / [PSR](https://www.corbado.com/blog/psd3-psr-passkeys) Implications for
Passkeys
- [PSD2](https://www.corbado.com/blog/psd2-passkeys) Passkeys: Phishing-Resistant
[PSD2-Compliant](https://www.corbado.com/blog/psd2-passkeys) MFA
### 5.3 CCPA (California Consumer Privacy Act)
**Data Portability:** This aspect is currently not fulfilled however passkeys will support
data portability as soon as protocols like Credential Exchange Protocol (CXP) (which is
currently in the draft stadium at [FIDO Alliance](https://www.corbado.com/glossary/fido-alliance)) that is in
alliance with CCPA's requirements, will be published.
- **Data Minimization**: Eliminating the need to store passwords helps passkeys support
the CCPA’s objective of minimizing data collection and reducing the risk of exposure.
- **Stronger Security**: Passkeys rely on cryptographic methods, aligning with the CCPA’s
mandate for implementing reasonable security measures to protect consumer data.
- **Portability and Access**: Built on [FIDO2](https://www.corbado.com/glossary/fido2) standards, passkeys enable
cross-platform functionality, supporting the CCPA’s provision for data portability and
user access.
In order for passkeys to be completely compliant with the CCPA, the Credential Exchange
Protocol (CXP) which is currently in draft status has to be published by the
[FIDO Alliance](https://www.corbado.com/glossary/fido-alliance)
### 5.4 NIST Guidelines (National Institute of Standards and Technology)
**Phishing-resistance:** Passkeys are recognized by [NIST](https://www.corbado.com/blog/nist-passkeys) as a
phishing-resistant authentication method, aligning with the latest
[NIST](https://www.corbado.com/blog/nist-passkeys) password guidelines:
- **Synced Passkeys**: Align with [Authenticator](https://www.corbado.com/glossary/authenticator) Assurance Level
2 ([AAL2](https://www.corbado.com/blog/nist-passkeys)) which requires multi-factor authentication and phishing
resistance
- **(Device-bound) Passkeys:** Align with [Authenticator](https://www.corbado.com/glossary/authenticator)
Assurance Level 3 ([AAL3](https://www.corbado.com/blog/nist-passkeys)) which also requires hardware-based
[authenticators](https://www.corbado.com/glossary/authenticator) with non-exportable private keys,
## 6. Why Corbado Connect is specialized on privacy
To ensure best-in-class privacy for enterprise customers, Corbado Connect offers the
possibility to add passkeys to an existing authentication solution with a few key aspects
regarding user data:
1. **No permanent storage of Personally Identifiable Information (PII):** Once a passkey
is created, personal information is not retained. Only a minimum of required data is
processed temporarily. Unique technical identifiers are used instead of personal
information.
2. **Data minimization approach:** Corbado Connect only requires essential data like
unique identifiers (e.g. hash, UUID, account ID), IP address (temporary, for rate
limiting only) and the
[User agent](https://www.corbado.com/blog/client-hints-user-agent-chrome-safari-firefox) and / Client Hint
information (device management only). All other data remains in your existing systems.
3. **Backend integration design:** Critical authentication data is kept within your
systems maintaining your backend as the primary data store. Existing data governance
standards are respected.
4. **Privacy-First Architecture:** Corbado Connect is GDPR-compliant by design. It works
with your current data structures and maintains data sovereignty
## 7. Conclusion
In Conclusion to this blog we see that most of the concerns regarding privacy with passkey
authentication are not accurate: no personal data is shared, biometrics always stay
on-device and there is no tracking across sites. This makes passkey authentication even
better than password authentication from a privacy point. We also answered a few other
questions in this blog:
- **How does passkey creation work from a privacy point of view?**
[Passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices) generates a unique
cryptographic key pair on your device. The private key stays securely on your device,
while the public key is sent to the website. No personal or biometric data is shared,
ensuring strong privacy.
- **Are passkeys better or worse than passwords for user privacy?** Passkeys are better
for [user privacy](https://www.corbado.com/faq/ensure-gdpr-compliance-with-passkeys) as they don’t store or
transmit personal data, can’t be reused or phished, and prevent tracking across sites
thanks to unique key pairs per service.
- **Which regulations are important when it comes to authentication privacy?** Common
frameworks that regulate privacy for authentication include: GDPR, PSD2,
[NIST](https://www.corbado.com/blog/nist-passkeys) Guidelines. Since passkeys offer best-in-class security
standards with phishing-resistant MFA they comply with the mentioned frameworks. As soon
as the [FIDO Alliance](https://www.corbado.com/glossary/fido-alliance) releases the Credential Exchange
Protocol (CXP), passkeys will also be compliant with the California Consumer Privacy
Act.
## Frequently Asked Questions
### Why are passkeys more private than signing in with Google or Facebook?
Passkeys generate a unique public-private key pair for each website, so no shared
identifier links a user's activity across services. Federated logins like 'Sign in with
Google' create cross-service identifiers that enable tracking across sites. Passkeys avoid
this tracking mechanism entirely by design.
### What is Key Presence Privacy in passkey authentication?
Key Presence Privacy is a property of passkey authentication where the server cannot
determine whether a private key exists on a client device until the user actively attempts
to authenticate. This prevents websites from probing or scanning for existing passkeys on
a device without explicit user consent.
### Are synced passkeys fully compliant with PSD2 Strong Customer Authentication requirements?
Synced passkey compliance with PSD2 Strong Customer Authentication is nuanced because
synced passkeys lack the strict device binding of device-bound passkeys. The European
Banking Authority has not issued an explicit ruling on synced passkeys, making compliance
less clear-cut than with device-bound passkeys.
### What personal data does a passkey authentication provider actually store about users?
Corbado Connect avoids permanent storage of personally identifiable information: once a
passkey is created, personal data is not retained. Only essential data is processed
temporarily, including unique technical identifiers like UUIDs, a temporary IP address for
rate limiting and user agent data for device management.
### When will passkeys be fully compliant with CCPA data portability requirements?
Full CCPA compliance for passkeys requires the FIDO Alliance's Credential Exchange
Protocol (CXP) to be published, which is currently in draft status. Until CXP is
finalized, data portability remains an outstanding CCPA gap for passkey implementations,
though passkeys already satisfy CCPA data minimization and reasonable security
requirements.