What is a Non-Resident Key in WebAuthn?

A Non-Resident Key (NRK) is a type of cryptographic key used in the WebAuthn protocol, characterized by its storage and retrieval process. Unlike resident keys, NRKs are not stored on the authenticator device. Instead, they rely on a unique process for key generation and use:

• Key Pair Generation: During sign-up, the authenticator creates a new key pair based on its internal master key. The public key, along with a unique credential ID, is sent to the server (Relying Party).
• Key Derivation: For authentication, the authenticator re-derives the private key using the credential ID and its master key, temporarily storing it in protected memory.
• Authentication: The authenticator signs a challenge with the derived private key and sends it to the client, which then forwards it to the server for verification.

Non-resident keys are also referred to as non-discoverable credentials, as they cannot be enumerated or listed by the authenticator.

---

Understanding Non-Resident Keys (NRKs) requires diving deeper into their technicalities, implications, and usage scenarios:

• Generation and Use: NRKs are generated during sign-up and are derived for each authentication session. This ephemeral nature ensures security while providing flexibility.
• Roaming Authenticators: NRKs are ideal for roaming authenticators like YubiKeys, allowing users to authenticate across various devices and platforms without being bound to a single device.
• User Handle Requirement: Unlike resident keys, NRKs require the user to input their user handle during authentication, making the process less seamless.

• Scalability: NRKs allow for an almost unlimited number of keys to be associated with various services, as they don’t consume storage on the authenticator.
• Security and Privacy Concerns: While NRKs are secure, the need for users to input their user handle can pose privacy concerns and is less user-friendly.
• Relying Party (RP) Management: Relying Parties must effectively manage the associations between user accounts and public keys. Poor management could lead to security vulnerabilities.

• Ideal for Roaming Authenticators: NRKs are perfect for scenarios where users use a single authenticator (like a YubiKey) across multiple devices.
• Suitable for Scalable User Bases: Services with a large and diverse user base can benefit from the flexibility and scalability of NRKs.

---

• Non-Resident Keys are not stored on the authenticator and require re-derivation for each use, while Resident Keys are stored directly on the authenticator and can be used more seamlessly.

• They offer scalability and flexibility, enabling users to authenticate across multiple platforms without relying on the storage capacity of any single device.

• The primary challenge is the need for users to provide their user handle for each authentication, which can impact the user experience and raise privacy concerns. Additionally, the RP must effectively manage key-user associations.