Australian flagJoin us at the FIDO seminar in Melbourne – Feb 7, 2025!

How can businesses ensure no PII is permanently stored during passkey usage?

Vincent Delitz

Vincent

Created: January 8, 2025

Updated: January 9, 2025

Do you want to learn more?

Read full blog post

How Can Businesses Ensure No PII Is Permanently Stored During Passkey Usage?#

Passkeys are designed to enhance security while minimizing the use of Personally Identifiable Information (PII). By implementing best practices and using privacy-conscious systems, businesses can ensure no PII is permanently stored during passkey operations.

ensure no pii stored with passkeys

Key Strategies to Prevent PII Storage#

  1. Temporary Data Processing Only:

    • During passkey creation or login, PII such as an email address may be temporarily used for user identification.
    • Ensure this data is processed only for the duration of the operation and not stored permanently.
  2. Use Unique Identifiers:

    • Replace PII with system-generated unique identifiers (e.g., user UUIDs) to link passkeys with user accounts.
    • This ensures the passkey system operates without requiring sensitive user data.
  3. Encryption and Secure Transmission:

    • Encrypt all data transmitted during passkey authentication.
    • This reduces the risk of interception and ensures that temporary data is protected.
Substack Icon

Subscribe to our Passkeys Substack for the latest news, insights and strategies.

Subscribe
  1. Audit and Monitoring:

    • Regularly audit systems to confirm no PII is inadvertently stored in logs or backups.
    • Implement monitoring tools to detect and alert on any PII retention.
  2. Vendor Assessments:

    • If using third-party passkey solutions, confirm that the vendor adheres to data minimization principles.
    • Ensure contracts explicitly prohibit permanent PII storage.

Example of PII-Free Passkey Flow#

  • Step 1: The client device generates a public-private key pair.
  • Step 2: The public key is stored on the authentication server, while the private key remains on the client device.
  • Step 3: Any user identification (e.g., email) is processed transiently and replaced by a unique user ID for future interactions.

By following these strategies, businesses can adopt passkeys while fully complying with privacy regulations and ensuring user trust.

Do you want to learn more?

Read full blog post

Share this article


LinkedInTwitterFacebook

Enjoyed this read?

🤝 Join our Passkeys Community

Share passkeys implementation tips and get support to free the world from passwords.

🚀 Subscribe to Substack

Get the latest news, strategies, and insights about passkeys sent straight to your inbox.


We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour

Start for free