New: Passkey Benchmark 2026 - 8 production KPIs to compare your passkey rolloutcompare your passkey rollout
Back to Overview

What is a Resident Key in WebAuthn?

Master Resident Keys for effective passkey deployment. A must-read for developers to implement user-friendly, secure authentication in applications.

Vincent Delitz
Vincent Delitz

Created: November 14, 2023

Updated: May 11, 2026

What is a Resident Key? - A Resident Key, also known as a Discoverable Credential, is a component of WebAuthn, a web standard for strong, passwordless authentication.

What is a Resident Key?#
  • A Resident Key, also known as a Discoverable Credential, is a component of WebAuthn, a web standard for strong, passwordless authentication. In this system, the private key and its associated metadata are stored in the persistent memory of the authenticator, rather than being encrypted and stored on the server of the relying party (RP).
  • This storage method contrasts with traditional credentials that require server-side storage and retrieval. With Resident Keys, during the registration process, a unique user handle is generated and stored along with the private key on the authenticator.
  • During authentication, the authenticator returns the user handle, allowing the RP to locate the associated user, thus eliminating the need for a username during login. This approach facilitates a seamless, username-less login experience and supports high assurance multi-factor authentication without transmitting passwords.

Key Takeaways#
  • A Resident Key is a type of Discoverable Credential used in WebAuthn for secure, passwordless authentication.
  • Private keys and user identifiers are stored on the authenticator, not on the relying party's server.
  • Resident Keys enable username-less authentication, enhancing user convenience and security.
  • Supports high assurance multi-factor authentication in a single login step without using passwords.

Technical Implications and User Experience#
  • Credential Storage and Management: The WebAuthn protocol, particularly with YubiKeys firmware 5.2.3 and above, allows the display and management of credentials stored on the authenticator. Users can view information like relying party details, credential descriptors, and the quantity of discoverable credentials on the authenticator.
  • CTAP 2 Protocol: Through the Client to Authenticator Protocol (CTAP 2), clients can access detailed information from the authenticator, including the number of discoverable credentials and relying party information. This protocol facilitates a more integrated and informed authentication process.

Credential Protection and Privacy#
  • Enhancing Privacy: The Credential Protection extension in WebAuthn offers additional privacy measures for users. It governs how credentials are exposed and used, particularly in scenarios where an unauthorized person might access the authenticator.
  • Credential Protection Options: There are three levels of protection settings: userVerificationOptional, userVerificationOptionalWithCredentialIDList, and userVerificationRequired. These settings dictate the visibility and use of credentials, balancing privacy and usability.

Seamless and Secure Authentication#
  • Silent Authentication: Resident Keys enable a more secure and user-friendly authentication experience, often referred to as "Silent Auth." This approach allows platforms to identify and use the appropriate credentials without active user involvement, streamlining the login process.
  • Impact on User Experience: By storing credentials on the authenticator and simplifying the authentication process, Resident Keys offer a more seamless and secure user experience. Users benefit from a straightforward, passwordless login process that does not compromise security.
Substack Icon

Subscribe to our Passkeys Substack for the latest news.

Subscribe

Resident Key FAQs#

What are Resident Keys in WebAuthn?#

Resident Keys, or Discoverable Credentials, are part of the WebAuthn protocol, storing private keys and user identifiers on the authenticator for secure, passwordless authentication.

How do Resident Keys enhance user privacy and security?#

Resident Keys enhance privacy and security by storing credentials on the authenticator, reducing reliance on server-side storage, and offering customizable credential protection settings.

What is the role of the Credential Protection extension in WebAuthn?#

The Credential Protection extension in WebAuthn adds an extra layer of privacy, controlling how discoverable credentials are exposed and used, especially in situations where an authenticator might be accessed by unauthorized individuals.

Resident Key vs. Non-Resident Keys: What's the Difference?#

Resident Keys are stored directly on the authenticator device with the user’s identifier, allowing for passwordless and username-less logins. In contrast, Non-Resident Keys are not stored on the authenticator; instead, they rely on the server to store the credential ID, requiring the user to input a username for identification during login.

Igor Gjorgjioski Testimonial

Igor Gjorgjioski

Head of Digital Channels & Platform Enablement, VicRoads

We hit 80% mobile passkey activation across 5M+ users without replacing our IDP.

See how VicRoads scaled passkeys to 5M+ users — alongside their existing IDP.

Read the case study

Where is my Resident Key stored?#

Your Resident Key is stored in the persistent memory of your authenticator device, such as a hardware security key or a built-in device authenticator. This storage approach ensures that your credentials are secure and readily accessible for authentication.

Is a Resident Key safe?#

Yes, Resident Keys are generally safe as they are stored on secure, dedicated hardware (the authenticator) and are protected by robust encryption methods. Additionally, since the keys are not stored on a server, they are less vulnerable to remote hacking attempts. However, the security also depends on the authenticator's physical security and firmware integrity.

Corbado

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert

See how Corbado fits your passkey rollout and existing authentication stack.

Explore the Console

Share this article

LinkedInTwitterFacebook

Table of Contents

Related Terms

Related Articles

passkeys cheat sheet

Passkeys Cheat Sheet for Developers

Lukas R. - March 6, 2024

webauthn resident key discoverable credentials passkeys

WebAuthn Resident Key: Discoverable Credentials as Passkeys

Vincent Delitz - September 28, 2023

webauthn-relying-party-id-rpid-passkeys

WebAuthn Relying Party ID (rpID) & Passkeys: Domains & Native Apps

Vincent Delitz - September 21, 2023

passkey tutorial how to implement passkeys

Passkey Tutorial: How to Implement Passkeys in Web Apps

Vincent Delitz - December 7, 2023