What is a Non-Resident Key in WebAuthn?

What are Non-Resident Keys?#

A Non-Resident Key (NRK) is a type of cryptographic key used in the WebAuthn protocol, characterized by its storage and retrieval process. Unlike resident keys, NRKs are not stored on the authenticator device. Instead, they rely on a unique process for key generation and use:

• Key Pair Generation: During sign-up, the authenticator creates a new key pair based on its internal master key. The public key, along with a unique credential ID, is sent to the server (Relying Party).
• Key Derivation: For authentication, the authenticator re-derives the private key using the credential ID and its master key, temporarily storing it in protected memory.
• Authentication: The authenticator signs a challenge with the derived private key and sends it to the client, which then forwards it to the server for verification.

Non-resident keys are also referred to as non-discoverable credentials, as they cannot be enumerated or listed by the authenticator.

Key Takeaways#

---

Understanding Non-Resident Keys (NRKs) requires diving deeper into their technicalities, implications, and usage scenarios:

Technical Details#

• Generation and Use: NRKs are generated during sign-up and are derived for each authentication session. This ephemeral nature ensures security while providing flexibility.
• Roaming Authenticators: NRKs are ideal for roaming authenticators like YubiKeys, allowing users to authenticate across various devices and platforms without being bound to a single device.
• User Handle Requirement: Unlike resident keys, NRKs require the user to input their user handle during authentication, making the process less seamless.

Advantages and Disadvantages#

• Scalability: NRKs allow for an almost unlimited number of keys to be associated with various services, as they don’t consume storage on the authenticator.
• Security and Privacy Concerns: While NRKs are secure, the need for users to input their user handle can pose privacy concerns and is less user-friendly.
• Relying Party (RP) Management: Relying Parties must effectively manage the associations between user accounts and public keys. Poor management could lead to security vulnerabilities.

Use Cases#

• Ideal for Roaming Authenticators: NRKs are perfect for scenarios where users use a single authenticator (like a YubiKey) across multiple devices.
• Suitable for Scalable User Bases: Services with a large and diverse user base can benefit from the flexibility and scalability of NRKs.

---

Non-Resident Keys FAQs#

How do Non-Resident Keys differ from Resident Keys in WebAuthn?#

• Non-Resident Keys are not stored on the authenticator and require re-derivation for each use, while Resident Keys are stored directly on the authenticator and can be used more seamlessly.

Why are Non-Resident Keys important in WebAuthn authentication?#

• They offer scalability and flexibility, enabling users to authenticate across multiple platforms without relying on the storage capacity of any single device.

What are the challenges associated with using Non-Resident Keys?#

• The primary challenge is the need for users to provide their user handle for each authentication, which can impact the user experience and raise privacy concerns. Additionally, the RP must effectively manage key-user associations.

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →