---
url: 'https://www.corbado.com/faq/ensure-no-pii-stored-with-passkeys'
title: 'How to ensure no PII is permanently stored with passkeys?'
description: 'Learn how businesses can prevent the permanent storage of PII during passkey authentication while ensuring security and compliance.'
lang: 'en'
keywords: 'passkeys PII storage, no PII passkeys, passkey privacy compliance'
---

# How to ensure no PII is permanently stored with passkeys?

## How Can Businesses Ensure No PII Is Permanently Stored During Passkey Usage?

Passkeys are designed to enhance security while minimizing the use of Personally
Identifiable Information (PII). By implementing best practices and using privacy-conscious
systems, businesses can ensure no PII is permanently stored during passkey operations.

### Key Strategies to Prevent PII Storage

1. **Temporary Data Processing Only:**
    - During [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices) or login, PII such
      as an email address may be temporarily used for user identification.
    - Ensure this data is processed only for the duration of the operation and not stored
      permanently.

2. **Use Unique Identifiers:**
    - Replace PII with system-generated unique identifiers (e.g., user UUIDs) to link
      passkeys with user accounts.
    - This ensures the passkey system operates without requiring sensitive user data.

3. **Encryption and Secure Transmission:**
    - Encrypt all data transmitted during passkey authentication.
    - This reduces the risk of interception and ensures that temporary data is protected.

4. **Audit and Monitoring:**
    - Regularly audit systems to confirm no PII is inadvertently stored in logs or
      backups.
    - Implement monitoring tools to detect and alert on any PII retention.

5. **Vendor Assessments:**
    - If using third-party passkey solutions, confirm that the vendor adheres to data
      minimization principles.
    - Ensure contracts explicitly prohibit permanent PII storage.

### Example of PII-Free Passkey Flow

- **Step 1:** The client device generates a public-private key pair.
- **Step 2:** The public key is stored on the authentication server, while the private key
  remains on the client device.
- **Step 3:** Any user identification (e.g., email) is processed transiently and replaced
  by a unique [user ID](https://www.corbado.com/blog/webauthn-user-id-userhandle) for future interactions.

By following these strategies, businesses can adopt passkeys while fully complying with
privacy regulations and ensuring
[user trust](https://www.corbado.com/faq/fallback-management-user-trust-passkey-retention).

## Read the full article