Ah my bad, I thought the distinction was resident = stored on a YubiKey/Secure Enclave/TPM...

spencerflem • yesterday at 9:47 AM • 2 replies • view on HN

Ah my bad, I thought the distinction was resident = stored on a YubiKey/Secure Enclave/TPM and that was what made them resident.

To my credit I think yubikey uses the term that way and webauthn has a different definition but in the context of passkeys you’re right.

Replies

jmsgwd • yesterday at 11:28 AM

Just to point out, protecting a key using the secure enclave and syncing it using end-to-end encryption aren’t necessarily mutually exclusive.

The security property you care about is that the plaintext key is only ever processed in use within the secure enclave (transiently, during authentication).

That doesn’t preclude syncing or backing up the encrypted key via a cloud service - if the device allows the application to do that.

➕ show 1 reply

timmyc123 • yesterday at 1:32 PM

> stored on a YubiKey/Secure Enclave/TPM and that was what made them resident.

Stored in an authenticator/credential manager in general, not specific to a security key, secure enclave, or TPM.

alt Hacker News

Replies