passkeys in MS-authenticator app

Question

Hello, I have a basic, binary question.

As passkeys are now getting matured on  MS-authenticator app on Android and iOS,  I have one point to confirm with you. We all know that  MS-auth-app  created passkeys are device-bound passkeys and they are not syncable.

 

Assuming that   my android device has  secure-enclave  (eg., strongbox),     I want to know does auth-app  literally  create a key-pair in the secure-enclave i.e.,  is it hardware-bound  private-key  ?

OR

does auth-app   create  software-bound keypair  and only while storing the  private-key locally  in the device , it is encrypted with a key that is of course  created in secure-enclave.

Thanks.

Answer 1

Hi @testuser7 ,

Great question—thanks for raising this!To clarify, when you create a passkey using the Microsoft Authenticator app on a supported device, the key pair is indeed hardware-bound.

On Android, the app leverages the Android Keystore system, and it prioritizes storing the private key in secure hardware such as the Secure Element (SE) or Trusted Execution Environment (TEE). If secure hardware isn’t available, the passkey won’t be created, ensuring that software-only storage is not used.

• On iOS, the private key is generated and stored directly in the Secure Enclave, which is Apple’s hardware-backed secure area.

So, to answer your question directly: Yes, the Authenticator app creates the key pair within secure hardware (like Secure Enclave or StrongBox), making the private key hardware-bound. It is not a software key that is merely encrypted with a hardware-backed key.

Hope this clears things up! And feel free to let me know if you'd like help checking your device's hardware support or anything else related to passkeys.

If my answer has resolved your query, please do click "Accept Answer" and "Yes" as this can be beneficial to other community members who has the same question topic as you. It would be greatly appreciated and helpful to others.

Best regards,

Bob