Skip to content

Commit 171e66f

Browse files
committed
Add explanation of hardware-backed key storage for passkeys (TPM, Secure Enclave, Android Keystore)
1 parent 4941673 commit 171e66f

1 file changed

Lines changed: 5 additions & 3 deletions

File tree

cheatsheets/Authentication_Cheat_Sheet.md

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -341,11 +341,13 @@ UAF takes advantage of existing security technologies present on devices for aut
341341

342342
U2F augments password-based authentication using a hardware token (typically USB) that stores cryptographic authentication keys and uses them for signing. The user can use the same token as a second factor for multiple applications. U2F works with web applications. It provides **protection against phishing** by using the URL of the website to look up the stored authentication key.
343343

344-
**FIDO2**: FIDO2 and WebAuthn, encompassing previous standards (UAF/U2F), form the foundation of modern **Passkeys** technology. Passkeys enable users to securely log in using local user verification (such as biometrics or device PINs) and often supporting cloud synchronization across devices. This technology is widely supported by major platforms (Windows Hello/Mac Touch ID).
344+
**FIDO2**: FIDO2 and WebAuthn, encompassing previous standards (UAF/U2F), form the foundation of modern **Passkeys** technology. Passkeys enable users to securely log in using local user verification (such as biometrics or device PINs), often with credential synchronization across devices.
345345

346-
Developers implementing passkeys should rely on well-maintained WebAuthn libraries or platform APIs instead of attempting to implement authentication logic manually. Using mature libraries helps ensure correct handling of cryptographic operations, token validation, and browser compatibility across platforms.
346+
#### Hardware-backed Key Storage
347347

348-
See also: [Web Authentication API (WebAuthn)](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API).
348+
For platform passkeys, the private key is generated and stored by the operating system's secure key manager. Modern platforms typically provide hardware-backed protection for these keys, such as the Trusted Platform Module (TPM) on Windows, Secure Enclave on Apple devices, or the Android Keystore/StrongBox on Android.
349+
350+
The private key is non-exportable and remains on the user’s device. During authentication, the platform security module signs a server challenge using this key. This hardware-backed protection of private keys is a core security property of passkeys and WebAuthn.
349351

350352
## Password Managers
351353

0 commit comments

Comments
 (0)