What is a Resident Key in WebAuthn?

What is a Resident Key?#

A Resident Key, also known as a Discoverable Credential, is a component of WebAuthn, a web standard for strong, passwordless authentication. In this system, the private key and its associated metadata are stored in the persistent memory of the authenticator, rather than being encrypted and stored on the server of the relying party (RP).
This storage method contrasts with traditional credentials that require server-side storage and retrieval. With Resident Keys, during the registration process, a unique user handle is generated and stored along with the private key on the authenticator.
During authentication, the authenticator returns the user handle, allowing the RP to locate the associated user, thus eliminating the need for a username during login. This approach facilitates a seamless, username-less login experience and supports high assurance multi-factor authentication without transmitting passwords.

Key Takeaways#

A Resident Key is a type of Discoverable Credential used in WebAuthn for secure, passwordless authentication.
Private keys and user identifiers are stored on the authenticator, not on the relying party's server.
Resident Keys enable username-less authentication, enhancing user convenience and security.
Supports high assurance multi-factor authentication in a single login step without using passwords.

What is a Resident Key? - A Resident Key, also known as a Discoverable Credential, is a component of WebAuthn, a web standard for strong, passwordless authentication.

Technical Implications and User Experience#

Credential Storage and Management: The WebAuthn protocol, particularly with YubiKeys firmware 5.2.3 and above, allows the display and management of credentials stored on the authenticator. Users can view information like relying party details, credential descriptors, and the quantity of discoverable credentials on the authenticator.
CTAP 2 Protocol: Through the Client to Authenticator Protocol (CTAP 2), clients can access detailed information from the authenticator, including the number of discoverable credentials and relying party information. This protocol facilitates a more integrated and informed authentication process.

Become part of our Passkeys Community for updates and support.

Join

Credential Protection and Privacy#

Enhancing Privacy: The Credential Protection extension in WebAuthn offers additional privacy measures for users. It governs how credentials are exposed and used, particularly in scenarios where an unauthorized person might access the authenticator.
Credential Protection Options: There are three levels of protection settings: userVerificationOptional, userVerificationOptionalWithCredentialIDList, and userVerificationRequired. These settings dictate the visibility and use of credentials, balancing privacy and usability.

Seamless and Secure Authentication#

Silent Authentication: Resident Keys enable a more secure and user-friendly authentication experience, often referred to as "Silent Auth." This approach allows platforms to identify and use the appropriate credentials without active user involvement, streamlining the login process.
Impact on User Experience: By storing credentials on the authenticator and simplifying the authentication process, Resident Keys offer a more seamless and secure user experience. Users benefit from a straightforward, passwordless login process that does not compromise security.

Subscribe to our Passkeys Substack for the latest news, insights and strategies.

Resident Key FAQs#

What are Resident Keys in WebAuthn?#

Resident Keys, or Discoverable Credentials, are part of the WebAuthn protocol, storing private keys and user identifiers on the authenticator for secure, passwordless authentication.

How do Resident Keys enhance user privacy and security?#

Resident Keys enhance privacy and security by storing credentials on the authenticator, reducing reliance on server-side storage, and offering customizable credential protection settings.

What is the role of the Credential Protection extension in WebAuthn?#

The Credential Protection extension in WebAuthn adds an extra layer of privacy, controlling how discoverable credentials are exposed and used, especially in situations where an authenticator might be accessed by unauthorized individuals.

Resident Key vs. Non-Resident Keys: What's the Difference?#

Resident Keys are stored directly on the authenticator device with the user’s identifier, allowing for passwordless and username-less logins. In contrast, Non-Resident Keys are not stored on the authenticator; instead, they rely on the server to store the credential ID, requiring the user to input a username for identification during login.

Ben Gould

Head of Engineering

I’ve built hundreds of integrations in my time, including quite a few with identity providers and I’ve never been so impressed with a developer experience as I have been with Corbado.

3,000+ devs trust Corbado & make the Internet safer with passkeys. Got questions? We’ve written 150+ blog posts on passkeys.

Join Passkeys Community

Where is my Resident Key stored?#

Your Resident Key is stored in the persistent memory of your authenticator device, such as a hardware security key or a built-in device authenticator. This storage approach ensures that your credentials are secure and readily accessible for authentication.

Is a Resident Key safe?#

Yes, Resident Keys are generally safe as they are stored on secure, dedicated hardware (the authenticator) and are protected by robust encryption methods. Additionally, since the keys are not stored on a server, they are less vulnerable to remote hacking attempts. However, the security also depends on the authenticator's physical security and firmware integrity.