Join our upcoming Webinar on Passkeys for Australian Enterprises

How to ensure no PII is permanently stored with passkeys?

Vincent Delitz

Vincent

Created: January 8, 2025

Updated: May 1, 2025

passkeys stakeholder

Read the full article

Find out how to engage business, privacy, and security stakeholders as well as third-party passkey authentication providers in large-scale passkey projects.

Read the full article

Read by 5,000+ security leaders.


How Can Businesses Ensure No PII Is Permanently Stored During Passkey Usage?#

Passkeys are designed to enhance security while minimizing the use of Personally Identifiable Information (PII). By implementing best practices and using privacy-conscious systems, businesses can ensure no PII is permanently stored during passkey operations.

ensure no pii stored with passkeys

Key Strategies to Prevent PII Storage#

  1. Temporary Data Processing Only:

    • During passkey creation or login, PII such as an email address may be temporarily used for user identification.
    • Ensure this data is processed only for the duration of the operation and not stored permanently.
  2. Use Unique Identifiers:

    • Replace PII with system-generated unique identifiers (e.g., user UUIDs) to link passkeys with user accounts.
    • This ensures the passkey system operates without requiring sensitive user data.
  3. Encryption and Secure Transmission:

    • Encrypt all data transmitted during passkey authentication.
    • This reduces the risk of interception and ensures that temporary data is protected.
Enterprise Icon

Get free passkey whitepaper for enterprises.

Get for free
  1. Audit and Monitoring:

    • Regularly audit systems to confirm no PII is inadvertently stored in logs or backups.
    • Implement monitoring tools to detect and alert on any PII retention.
  2. Vendor Assessments:

    • If using third-party passkey solutions, confirm that the vendor adheres to data minimization principles.
    • Ensure contracts explicitly prohibit permanent PII storage.

Example of PII-Free Passkey Flow#

  • Step 1: The client device generates a public-private key pair.
  • Step 2: The public key is stored on the authentication server, while the private key remains on the client device.
  • Step 3: Any user identification (e.g., email) is processed transiently and replaced by a unique user ID for future interactions.

By following these strategies, businesses can adopt passkeys while fully complying with privacy regulations and ensuring user trust.

Read the full article#

passkeys stakeholder

Read the full article

Find out how to engage business, privacy, and security stakeholders as well as third-party passkey authentication providers in large-scale passkey projects.

Read the full article

Read by 5,000+ security leaders.

Schedule a call to get your free enterprise passkey assessment.

Talk to a Passkey Expert

Enjoyed this read?

🤝 Join our Passkeys Community

Share passkeys implementation tips and get support to free the world from passwords.

🚀 Subscribe to Substack

Get the latest news, strategies, and insights about passkeys sent straight to your inbox.

Share this article


LinkedInTwitterFacebook