When Are Passkeys Stored?

Passkeys are stored on the user’s device after being created during the WebAuthn register process. The cryptographic keys are securely stored within hardware-backed storage like the Trusted Platform Module (TPM) on desktops or the Secure Enclave on iOS devices.

---

When a passkey is generated, it consists of a public key and a private key. The private key is securely stored on the user's device, often in hardware-backed storage:

• Trusted Platform Module (TPM): On Windows and Linux devices, passkeys are stored within the TPM, which is a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.
• Secure Enclave: For Apple devices, the Secure Enclave is a coprocessor that provides all cryptographic operations for Data Protection key management and ensures that passkeys remain protected even if the main operating system is compromised.

Passkeys are stored immediately after they are created during the registration process. This usually happens the first time a user signs up for a service using passkeys. Here's a step-by-step process:

• User Registration: During user registration, the passkey is created and stored on the device.
• 'WebAuthn Server Interaction: Only the public key is sent to the WebAuthn server, ensuring that the private key never leaves the user’s device.
• Subsequent Logins: During subsequent logins, the stored private key is used to sign a challenge sent by the server, proving the user’s identity without ever exposing the private key.

The storage method of passkeys is designed to prevent unauthorized access and ensure that even if a device is compromised, the passkey remains protected:

• Local Storage: Since passkeys are stored locally, they are less vulnerable to mass data breaches that affect server-side databases.
• Biometric Protection: On many devices, access to the private key is further protected by biometric authentication, such as fingerprint scanning or facial recognition.

---