Passkeys are stored in Trusted Execution Environments wherever they're available.
Examples of Trusted Execution Environments supported by Beyond Identity are:
- In Apple Devices, keys are stored in Apple T2 chips.
- In Windows and Linux workstations, keys are stored on Trusted Platform Modules (TPM).
- In ChromeOS, keys are stored in encrypted envelops which are protected by keys stored on the Titan chip.
- In AWS, keys can be stored in the Nitro enclaves on instances that support it. They are not persisted.
If no TEE is available our SDKs automatically fall back to OS specific security APIs for safe storage on hard disk. These are typically protected by a master key the OS generates with a knowledge factor as a salt.