Glossary
This page defines all technical terms and field values of the Passkey/FIDO2 Tokens feature.
Passkey
A passkey lets users sign in without a password. It uses public‑key cryptography, where a private key is securely stored on the user’s device and never shared. To authenticate, the user unlocks the device using biometrics or a device PIN, allowing the device to prove their identity to the service.
FIDO2 Token
A physical or platform-based authenticator that implements the FIDO2 standard. This includes hardware security keys (for example, YubiKey) and built-in platform authenticators (for example, Windows Hello, Touch ID).
Authenticator
The device or component that creates and stores the credential's private key and performs user verification.
| Type | Description |
|---|---|
| Platform Authenticator | Built into the user's device (for example, Windows Hello, Apple Face ID / Touch ID). Credentials are tied to that specific device unless synced. |
| Roaming / External Authenticator | A separate hardware device (for example, YubiKey, Titan Key) that can be used across multiple devices using USB, NFC, or Bluetooth. |
Authenticator ID (AAGUID)
Every authenticator device (like a YubiKey or Windows Hello chip) is assigned a unique identifier called an AAGUID (Authenticator Attestation Globally Unique Identifier) that identifies the exact make and model of the authenticator that was used to register a passkey.
For example, all YubiKey 5 NFC devices share the same AAGUID, while Apple Passwords has a different one. This helps administrators identify which type of device was used during registration.
Relying Party ID
The Relying Party ID is the domain name of the application that a passkey is registered to (for example, example.com). A passkey is bound to this domain and cannot be used to log in to any other application. This binding is a core security feature of FIDO2. It prevents phishing attacks by ensuring the credential only works on the exact site it was created for.
Key Protection
Key Protection describes how and where the private key is stored on the authenticator device. The more secure the storage, the harder it is for an attacker to steal or copy the key.
| Value | Description |
|---|---|
| Hardware | The private key is stored inside a dedicated hardware security chip (such as a Secure Element or Trusted Platform Module ((TPM). The key cannot be read or extracted from the chip, even by the operating system. This is the most secure option. |
| Trusted Execution Environment (TEE) | The key is stored in a protected area of the device's main processor that is isolated from the rest of the operating system. It is more secure than software storage but slightly less tamper-resistant than a dedicated hardware chip. |
| Software | The key is stored in the device's regular memory and protected by the operating system. It is the least secure option, as it could theoretically be accessed if the device is compromised. |
| Remote | The key is managed by a remote service rather than stored locally on the device. |
Matcher protection
Matcher protection describes where the user verification check happens, for example, where your fingerprint scan or PIN entry is processed and validated.
| Value | Description |
|---|---|
| Hardware | The verification (for example, fingerprint matching) is processed entirely inside a dedicated hardware security chip. This is the most tamper-resistant option. Even if the operating system of the device is compromised, the verification result cannot be faked. |
| Trusted Execution Environment (TEE) | Verification is processed in a protected, isolated area of the device's processor, separate from the main operating system. This provides strong security for most everyday use cases. |
| Software | Verification is handled by the device's operating system or an application. It is functional but relies entirely on the software being secure and not compromised. |
Transport method
Transport method describes how the authenticator communicates with the browser or application during authentication.
| Value | Description |
|---|---|
| Internal | The authenticator is built directly into the device (for example, Windows Hello on a laptop, Face ID on an iPhone). No external connection is needed. |
| USB | The authenticator connects through a USB cable or port (for example plugging in a YubiKey). |
| NFC | The authenticator communicates wirelessly over a short range by tapping it against the device (for example, tapping a YubiKey to a phone). |
| BLE | The authenticator communicates through Bluetooth (for example, a Bluetooth security key paired with your device). |
| Hybrid | Authentication is completed on a nearby device (for example, scanning a QR code with your phone to approve a login on your laptop). |
Feature flags
Feature flags are security properties confirmed at the moment of authentication. They indicate what level of assurance was achieved during the login attempt.
| Flag | Description |
|---|---|
| User Present (UP) | Confirms that a real person physically interacted with the authenticator (for example, by touching a button on a YubiKey or tapping a fingerprint sensor). This ensures the authentication was not automated or triggered silently in the background. |
| User Verified (UV) | Confirms that the user completed a verification step, such as scanning a fingerprint, recognizing a face, or entering a PIN. This is a stronger assurance than User Present alone, as it confirms the right person is authenticating. |
| Backup Eligible (BE) | Indicates that the passkey is eligible to be backed up or synced to the cloud (such as iCloud Keychain or Google Password Manager). This means the passkey could be available on other devices belonging to the same user. |
| Backup State (BS) | Indicates that the passkey has actually been backed up at the time of authentication. If Backup Eligible is true but Backup State is false, the passkey exists only on the original device. |
Platform authenticator and Roaming authenticator
| Type | Description | Examples |
|---|---|---|
| Platform Authenticator | Built into the user's device. Credentials are created and stored on that specific device. | Windows Hello, Apple Face ID / Touch ID, Android biometrics |
| Roaming (External) Authenticator | A separate portable device that can be used across multiple devices. | YubiKey, Titan Security Key, Feitian key |
Device-bound and Synced passkey
| Type | Description |
|---|---|
| Device-Bound | The passkey exists only on the device where it was created. It cannot be transferred, copied, or accessed from another device. This offers the highest security but means the passkey is lost if the device is lost. |
| Synced | The passkey is backed up and synchronized across devices through a cloud service (such as iCloud Keychain or Google Password Manager). This makes it convenient to use across multiple devices but means the passkey is only as secure as the cloud account protecting it. |