--- url: 'https://www.corbado.com/glossary/resident-key' title: 'Resident Key' description: 'Master Resident Keys for effective passkey deployment. A must-read for developers to implement user-friendly, secure authentication in applications.' lang: 'en' keywords: 'resident-key' --- # Resident Key ## What is a Resident Key? - A **Resident Key**, also known as a [Discoverable Credential](https://www.corbado.com/blog/webauthn-resident-key-discoverable-credentials-passkeys), is a component of WebAuthn, a web standard for strong, [passwordless authentication](https://www.corbado.com/glossary/passwordless-authentication). In this system, the private key and its associated metadata are stored in the persistent memory of the [authenticator](https://www.corbado.com/glossary/authenticator), rather than being encrypted and stored on the server of the [relying party](https://www.corbado.com/glossary/relying-party) (RP). - This storage method contrasts with traditional credentials that require server-side storage and retrieval. With Resident Keys, during the registration process, a unique [user handle](https://www.corbado.com/blog/webauthn-user-id-userhandle) is generated and stored along with the private key on the [authenticator](https://www.corbado.com/glossary/authenticator). - During authentication, the [authenticator](https://www.corbado.com/glossary/authenticator) returns the [user handle](https://www.corbado.com/blog/webauthn-user-id-userhandle), allowing the RP to locate the associated user, thus eliminating the need for a username during login. This approach facilitates a seamless, username-less login experience and supports high assurance multi-factor authentication without transmitting passwords. ## Key Takeaways > - A **Resident** **Key** is a type of > [Discoverable Credential](https://www.corbado.com/blog/webauthn-resident-key-discoverable-credentials-passkeys) > used in WebAuthn for secure, > [passwordless authentication](https://www.corbado.com/glossary/passwordless-authentication). > - Private keys and user identifiers are stored on the authenticator, not on the relying > party's server. > - Resident Keys enable username-less authentication, enhancing user convenience and > security. > - Supports high assurance multi-factor authentication in a single login step without using > passwords. --- ### Technical Implications and User Experience - Credential Storage and Management: The WebAuthn protocol, particularly with [YubiKeys](https://www.corbado.com/glossary/yubikey) firmware 5.2.3 and above, allows the display and management of credentials stored on the authenticator. Users can view information like [relying party](https://www.corbado.com/glossary/relying-party) details, credential descriptors, and the quantity of discoverable credentials on the authenticator. - CTAP 2 Protocol: Through the Client to Authenticator Protocol (CTAP 2), clients can access detailed information from the authenticator, including the number of discoverable credentials and [relying party](https://www.corbado.com/glossary/relying-party) information. This protocol facilitates a more integrated and informed authentication process. ### Credential Protection and Privacy - Enhancing Privacy: The Credential Protection extension in WebAuthn offers additional privacy measures for users. It governs how credentials are exposed and used, particularly in scenarios where an unauthorized person might access the authenticator. - Credential Protection Options: There are three levels of protection settings: userVerificationOptional, userVerificationOptionalWithCredentialIDList, and userVerificationRequired. These settings dictate the visibility and use of credentials, balancing privacy and usability. ### Seamless and Secure Authentication - Silent Authentication: Resident Keys enable a more secure and [user-friendly authentication](https://www.corbado.com/faq/passkey-user-experience-benefits-non-technical-audience) experience, often referred to as "Silent Auth." This approach allows platforms to identify and use the appropriate credentials without active user involvement, streamlining the login process. - Impact on User Experience: By storing credentials on the authenticator and simplifying the authentication process, Resident Keys offer a more seamless and secure user experience. Users benefit from a straightforward, passwordless login process that does not compromise security. --- ## Resident Key FAQs ### What are Resident Keys in WebAuthn? Resident Keys, or Discoverable Credentials, are part of the WebAuthn protocol, storing private keys and user identifiers on the authenticator for secure, passwordless authentication. ### How do Resident Keys enhance user privacy and security? Resident Keys enhance privacy and security by storing credentials on the authenticator, reducing reliance on server-side storage, and offering customizable credential protection settings. ### What is the role of the Credential Protection extension in WebAuthn? The Credential Protection extension in WebAuthn adds an extra layer of privacy, controlling how discoverable credentials are exposed and used, especially in situations where an authenticator might be accessed by unauthorized individuals. ### Resident Key vs. Non-Resident Keys: What's the Difference? Resident Keys are stored directly on the authenticator device with the user’s identifier, allowing for passwordless and username-less logins. In contrast, Non-Resident Keys are not stored on the authenticator; instead, they rely on the server to store the [credential ID](https://www.corbado.com/blog/webauthn-user-id-userhandle), requiring the user to input a username for identification during login. ### Where is my Resident Key stored? Your [Resident Key](https://www.corbado.com/blog/webauthn-resident-key-discoverable-credentials-passkeys) is stored in the persistent memory of your authenticator device, such as a hardware [security key](https://www.corbado.com/glossary/security-key) or a built-in device authenticator. This storage approach ensures that your credentials are secure and readily accessible for authentication. ### Is a Resident Key safe? Yes, Resident Keys are generally safe as they are stored on secure, dedicated hardware (the authenticator) and are protected by robust encryption methods. Additionally, since the keys are not stored on a server, they are less vulnerable to remote hacking attempts. However, the security also depends on the [authenticator's](https://www.corbado.com/glossary/authenticator) physical security and firmware integrity.