What are Non-Resident Keys?#
A Non-Resident Key (NRK) is a type of cryptographic key used in the
WebAuthn protocol, characterized by its
storage and retrieval process. Unlike
resident keys, NRKs are not stored on the
authenticator device. Instead, they rely on a unique process
for key generation and use:
- Key Pair Generation: During sign-up, the authenticator
creates a new key pair based on its internal master key. The public key, along with a
unique credential ID, is sent to the server
(Relying Party).
- Key Derivation: For authentication, the authenticator
re-derives the private key using the credential ID
and its master key, temporarily storing it in protected memory.
- Authentication: The authenticator signs a challenge with
the derived private key and sends it to the client, which then forwards it to the server
for verification.
Non-resident keys are also referred to as non-discoverable credentials, as they cannot be
enumerated or listed by the authenticator.
Key Takeaways#
- Non-Resident Keys (NRKs) are cryptographic keys in the WebAuthn protocol that are
not stored on the authenticator.
- NRKs are generated and used based on a unique process involving the derivation of the
private key from the authenticator's master key and a
credential ID.
- NRKs provide scalability and roaming capabilities, as they do not rely on the storage
capacity of the authenticator and can be used across multiple services and platforms.
- The key disadvantage is that users must provide their user handle (e.g., email or
username) for authentication, which can impact user experience.
Understanding Non-Resident Keys (NRKs) requires diving deeper into their technicalities,
implications, and usage scenarios:
Technical Details#
- Generation and Use: NRKs are generated during sign-up and are derived for each
authentication session. This ephemeral nature ensures security while providing
flexibility.
- Roaming Authenticators: NRKs are ideal for roaming
authenticators like YubiKeys, allowing
users to authenticate across various devices and platforms without being bound to a
single device.
- User Handle Requirement: Unlike resident keys, NRKs require the user to input their
user handle during authentication, making the
process less seamless.
Advantages and Disadvantages#
- Scalability: NRKs allow for an almost unlimited number of keys to be associated with
various services, as they don’t consume storage on the authenticator.
- Security and Privacy Concerns: While NRKs are secure, the need for users to input
their user handle can pose privacy concerns and is
less user-friendly.
- Relying Party (RP) Management: Relying Parties must
effectively manage the associations between user accounts and public keys. Poor
management could lead to security vulnerabilities.
Use Cases#
- Ideal for Roaming Authenticators: NRKs are perfect for scenarios where users use a
single authenticator (like a YubiKey) across multiple devices.
- Suitable for Scalable User Bases: Services with a large and diverse user base can
benefit from the flexibility and scalability of NRKs.
Non-Resident Keys FAQs#
How do Non-Resident Keys differ from Resident Keys in WebAuthn?#
- Non-Resident Keys are not stored on the authenticator and require re-derivation for each
use, while Resident Keys are stored
directly on the authenticator and can be used more seamlessly.
Why are Non-Resident Keys important in WebAuthn authentication?#
- They offer scalability and flexibility, enabling users to authenticate across multiple
platforms without relying on the storage capacity of any single device.
What are the challenges associated with using Non-Resident Keys?#
- The primary challenge is the need for users to provide their
user handle for each authentication, which can
impact the user experience and raise privacy concerns. Additionally, the RP must
effectively manage key-user associations.

Add passkeys to your app in <1 hour with our UI components, SDKs & guides.
Start for free