How to ensure no PII is permanently stored with passkeys?

How Can Businesses Ensure No PII Is Permanently Stored During Passkey Usage?#

Passkeys are designed to enhance security while minimizing the use of Personally Identifiable Information (PII). By implementing best practices and using privacy-conscious systems, businesses can ensure no PII is permanently stored during passkey operations.

Key Strategies to Prevent PII Storage#

1. Temporary Data Processing Only:

   • During passkey creation or login, PII such as an email address may be temporarily used for user identification.
   • Ensure this data is processed only for the duration of the operation and not stored permanently.

2. Use Unique Identifiers:

   • Replace PII with system-generated unique identifiers (e.g., user UUIDs) to link passkeys with user accounts.
   • This ensures the passkey system operates without requiring sensitive user data.

3. Encryption and Secure Transmission:

   • Encrypt all data transmitted during passkey authentication.
   • This reduces the risk of interception and ensures that temporary data is protected.

4. Audit and Monitoring:

   • Regularly audit systems to confirm no PII is inadvertently stored in logs or backups.
   • Implement monitoring tools to detect and alert on any PII retention.

5. Vendor Assessments:

   • If using third-party passkey solutions, confirm that the vendor adheres to data minimization principles.
   • Ensure contracts explicitly prohibit permanent PII storage.

Example of PII-Free Passkey Flow#

• Step 1: The client device generates a public-private key pair.
• Step 2: The public key is stored on the authentication server, while the private key remains on the client device.
• Step 3: Any user identification (e.g., email) is processed transiently and replaced by a unique user ID for future interactions.

By following these strategies, businesses can adopt passkeys while fully complying with privacy regulations and ensuring user trust.

Read the full article#