When Are Passkeys Stored?
Learn when passkeys are stored in a secure system. Understand how passkeys work in user authentication and ensure your app’s security.
When Are Passkeys Stored?#
Passkeys are stored on the user’s device after being created during the WebAuthn register process. The cryptographic keys are securely stored within hardware-backed storage like the Trusted Platform Module (TPM) on desktops or the Secure Enclave on iOS devices.
- Passkeys are stored on the user’s device after creation.
- The private keys are securely stored in hardware-backed storage such as TPM or Secure Enclave.
- Only public keys are shared with the WebAuthn server, ensuring the security of the private key.
How Passkeys Are Stored#
When a passkey is generated, it consists of a public key and a private key. The private key is securely stored on the user's device, often in hardware-backed storage:
- Trusted Platform Module (TPM): On Windows and Linux devices, passkeys are stored within the TPM, which is a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.
- Secure Enclave: For Apple devices, the Secure Enclave is a coprocessor that provides all cryptographic operations for Data Protection key management and ensures that passkeys remain protected even if the main operating system is compromised.
When Passkeys Are Stored#
Passkeys are stored immediately after they are created during the registration process. This usually happens the first time a user signs up for a service using passkeys. Here's a step-by-step process:
- User Registration: During user registration, the passkey is created and stored on the device.
- 'WebAuthn Server Interaction: Only the public key is sent to the WebAuthn server, ensuring that the private key never leaves the user’s device.
- Subsequent Logins: During subsequent logins, the stored private key is used to sign a challenge sent by the server, proving the user’s identity without ever exposing the private key.
Security Implications#
The storage method of passkeys is designed to prevent unauthorized access and ensure that even if a device is compromised, the passkey remains protected:
- Local Storage: Since passkeys are stored locally, they are less vulnerable to mass data breaches that affect server-side databases.
- Biometric Protection: On many devices, access to the private key is further protected by biometric authentication, such as fingerprint scanning or facial recognition.
About Corbado
Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →
Share this article
Table of Contents
Related Terms
Related Articles
