What is a Resident Key in WebAuthn?

• A Resident Key, also known as a Discoverable Credential, is a component of WebAuthn, a web standard for strong, passwordless authentication. In this system, the private key and its associated metadata are stored in the persistent memory of the authenticator, rather than being encrypted and stored on the server of the relying party (RP).
• This storage method contrasts with traditional credentials that require server-side storage and retrieval. With Resident Keys, during the registration process, a unique user handle is generated and stored along with the private key on the authenticator.
• During authentication, the authenticator returns the user handle, allowing the RP to locate the associated user, thus eliminating the need for a username during login. This approach facilitates a seamless, username-less login experience and supports high assurance multi-factor authentication without transmitting passwords.

---

• Credential Storage and Management: The WebAuthn protocol, particularly with YubiKeys firmware 5.2.3 and above, allows the display and management of credentials stored on the authenticator. Users can view information like relying party details, credential descriptors, and the quantity of discoverable credentials on the authenticator.
• CTAP 2 Protocol: Through the Client to Authenticator Protocol (CTAP 2), clients can access detailed information from the authenticator, including the number of discoverable credentials and relying party information. This protocol facilitates a more integrated and informed authentication process.

• Enhancing Privacy: The Credential Protection extension in WebAuthn offers additional privacy measures for users. It governs how credentials are exposed and used, particularly in scenarios where an unauthorized person might access the authenticator.
• Credential Protection Options: There are three levels of protection settings: userVerificationOptional, userVerificationOptionalWithCredentialIDList, and userVerificationRequired. These settings dictate the visibility and use of credentials, balancing privacy and usability.

• Silent Authentication: Resident Keys enable a more secure and user-friendly authentication experience, often referred to as "Silent Auth." This approach allows platforms to identify and use the appropriate credentials without active user involvement, streamlining the login process.
• Impact on User Experience: By storing credentials on the authenticator and simplifying the authentication process, Resident Keys offer a more seamless and secure user experience. Users benefit from a straightforward, passwordless login process that does not compromise security.

---

Resident Keys, or Discoverable Credentials, are part of the WebAuthn protocol, storing private keys and user identifiers on the authenticator for secure, passwordless authentication.

Resident Keys enhance privacy and security by storing credentials on the authenticator, reducing reliance on server-side storage, and offering customizable credential protection settings.

The Credential Protection extension in WebAuthn adds an extra layer of privacy, controlling how discoverable credentials are exposed and used, especially in situations where an authenticator might be accessed by unauthorized individuals.

Resident Keys are stored directly on the authenticator device with the user’s identifier, allowing for passwordless and username-less logins. In contrast, Non-Resident Keys are not stored on the authenticator; instead, they rely on the server to store the credential ID, requiring the user to input a username for identification during login.

Your Resident Key is stored in the persistent memory of your authenticator device, such as a hardware security key or a built-in device authenticator. This storage approach ensures that your credentials are secure and readily accessible for authentication.

Yes, Resident Keys are generally safe as they are stored on secure, dedicated hardware (the authenticator) and are protected by robust encryption methods. Additionally, since the keys are not stored on a server, they are less vulnerable to remote hacking attempts. However, the security also depends on the authenticator's physical security and firmware integrity.