--- url: 'https://www.corbado.com/faq/when-are-passkeys-stored' title: 'When Are Passkeys Stored?' description: 'Learn when passkeys are stored in a secure system. Understand how passkeys work in user authentication and ensure your app’s security.' lang: 'en' keywords: 'storage of passkeys' --- # When Are Passkeys Stored? ## When Are Passkeys Stored? Passkeys are stored on the user’s device after being created during the WebAuthn register process. The cryptographic keys are securely stored within hardware-backed storage like the Trusted Platform Module (TPM) on desktops or the [Secure Enclave](https://www.corbado.com/glossary/secure-enclave) on [iOS](https://www.corbado.com/blog/webauthn-errors) devices. > - Passkeys are stored on the user’s device after creation. > - The private keys are securely stored in hardware-backed storage such as TPM or Secure > Enclave. > - Only public keys are shared with the WebAuthn server, ensuring the security of the > private key. --- ### How Passkeys Are Stored When a passkey is generated, it consists of a public key and a private key. The private key is securely stored on the user's device, often in hardware-backed storage: - **Trusted Platform Module (TPM):** On Windows and Linux devices, passkeys are stored within the TPM, which is a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. - **Secure Enclave:** For Apple devices, the [Secure Enclave](https://www.corbado.com/glossary/secure-enclave) is a coprocessor that provides all cryptographic operations for Data Protection key management and ensures that passkeys remain protected even if the main operating system is compromised. ### When Passkeys Are Stored Passkeys are stored immediately after they are created during the registration process. This usually happens the first time a user signs up for a service using passkeys. Here's a step-by-step process: - **User Registration:** During user registration, the passkey is created and stored on the device. - **'WebAuthn Server Interaction:** Only the public key is sent to the WebAuthn server, ensuring that the private key never leaves the user’s device. - **Subsequent Logins:** During subsequent logins, the stored private key is used to sign a challenge sent by the server, proving the user’s identity without ever exposing the private key. ### Security Implications The storage method of passkeys is designed to prevent unauthorized access and ensure that even if a device is compromised, the passkey remains protected: - **Local Storage:** Since passkeys are stored locally, they are less vulnerable to mass data breaches that affect server-side databases. - **Biometric Protection:** On many devices, access to the private key is further protected by [biometric authentication](https://www.corbado.com/blog/passkeys-biometric-authentication), such as fingerprint scanning or facial recognition. ---