---
url: 'https://www.corbado.com/faq/are-passkey-providers-responsible-for-securing-auth-data'
title: 'Are passkey providers responsible for securing auth data?'
description: 'Discover whether passkey providers are responsible for securing authentication data and how security measures are implemented.'
lang: 'en'
---

# Are passkey providers responsible for securing auth data?

## Are Passkey Providers Responsible for Securing Auth Data?

Yes, **passkey providers** play a crucial role in securing authentication data, but their
level of responsibility depends on their role in the **passkey ecosystem**.

### Types of Passkey Providers and Security Responsibilities

[Passkey providers](https://www.corbado.com/blog/passkey-providers) can be categorized into:

- **First-party passkey providers** (e.g., Apple
  [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain),
  [Google Password Manager](https://www.corbado.com/blog/how-to-use-google-password-manager), Microsoft
  [Authenticator](https://www.corbado.com/glossary/authenticator)) that store passkeys within their cloud
  ecosystems.
- **Third-party passkey providers** (e.g.,
  [1Password](https://www.corbado.com/blog/1password-passkeys-best-practices-analysis),
  [Bitwarden](https://www.corbado.com/blog/passkey-analysis-bitwarden-developer-survey-2024),
  [Dashlane](https://www.corbado.com/blog/dashlane-passkeys)) that offer passkey storage and synchronization
  across devices.
- **Passkey authentication providers** (e.g., Corbado) that facilitate the authentication
  process by integrating passkeys into websites and applications.

### Security Measures Implemented by Passkey Providers

[Passkey providers](https://www.corbado.com/blog/passkey-providers) typically employ the following security
techniques:

- **End-to-End Encryption**: Passkeys stored in **iCloud Keychain** or **Google Password
  Manager** are encrypted, ensuring only the user can access them.
- **Hardware-Based Protection**: Many providers use **secure enclaves** or **TPM (Trusted
  Platform Module)** to prevent unauthorized access.
- **Biometric Authentication**: Passkey authentication is typically tied to biometrics
  (Face ID, Touch ID, [Windows Hello](https://www.corbado.com/glossary/windows-hello)) or device PINs, adding an
  additional layer of security.
- **Phishing Resistance**: Since passkeys are **bound to a specific domain**, they
  mitigate [phishing](https://www.corbado.com/glossary/phishing) attacks by preventing authentication on
  fraudulent websites.

### Who Is Ultimately Responsible?

- **First- and third-party passkey providers** ensure secure **storage and
  synchronization** of passkeys.
- **Passkey authentication providers** facilitate the **server-side authentication
  process**, ensuring compliance with security best practices.
- **End-users** also play a role by **securing their devices** and **enabling multi-device
  recovery options**.

### Conclusion

While **passkey providers** implement strong security measures, overall protection depends
on **encryption**, **device security**, and **proper implementation by relying parties**.
Users and organizations must ensure they follow **best security practices** to fully
leverage the benefits of passkeys.

## Read the full article