Resident Keys

WebAuthn enables high assurance multi-factor authentication with a passwordless login experience. One of the things that enables this is what is called resident keys.

Resident key means that the private key is stored in persistent memory on the authenticator, instead of encrypted and stored on the relying party server. If the key were stored on the server, then the server would need to return that to the authenticator before the authenticator could decrypt and use it. This would mean that the user would need to provide a username, and usually also a password.

With resident keys, the RP generates a user handle containing a unique identifier, the property in PublicKeyCredentialCreationOptions. The user handle and private key are stored in persistent memory on the authenticator during the registration ceremony. During the authentication ceremony the authenticator returns the user handle, allowing the RP to look up the associated user. This means that the user does not need to enter a username to login.

A username-less flow might look something like this: The user goes to the login page, plugs in the authenticator, and taps the button, and then they are logged in. This is called a “first-factor” authentication. If the authenticator also supports PIN or biometric verification, you can get high assurance multi-factor authentication in a single login step with no passwords sent over the wire.