Go to thrive.app
Articles Submit a Support Request

Passkeys

Passkeys Technical FAQ: For Your IT & Information Security Teams

6 March, 2026

Share

FacebookFacebook Logo TwitterTwitter Logo PinterestPinterest Logo

Passkeys on the Thrive.app Platform: Security & Architecture FAQs

Passkeys

1. What is a Passkey?

A Passkey is a phishing-resistant authentication credential based on the FIDO2 / WebAuthn standard.

Instead of a password, a passkey uses public-key cryptography:

  • A private key is generated and securely stored on the userʼs device.
  • A corresponding public key is shared with Thrive during registration.
  • During login, the device signs a cryptographic challenge using the private key.

No shared secret (like a password) is transmitted or stored.

2. Where are Passkeys Stored?

Passkeys are stored only on the userʼs device or in the userʼs OS-managed secure cloud keychain, such as: 

  • iCloud Keychain
  • Google Password Manager
  • Microsoft Windows Hello / device TPM

The Thrive Platform NEVER stores private keys.

3. What does the Thrive platform store?

Our platform stores only:

  • The public key
  • The Credential ID
  • Metadata required by the WebAuthn protocol (e.g., sign count) 

These are not secrets and cannot be used to impersonate a user. Even in the event of a database breach:

  • Attackers cannot reconstruct the private key.
  • They cannot authenticate as the user.

4. Do we store biometric data?

No: Thrive does NOT store or access any biometric data.

Biometric data (fingerprints, Face ID, Windows Hello face scans, etc):

  • Never leaves the userʼs device
  • Is never transmitted to our servers
  • Is never accessible to our application
  • Is never stored in our infrastructure

Biometrics are used only by the device operating system to unlock the private key locally.

5. How does biometric authentication work with passkeys?

Biometrics act as a local unlock mechanism:

  1. The server sends a cryptographic challenge.
  2. The device prompts the user for biometric or device PIN authentication.
  3. The OS verifies the biometric locally.
  4. If successful, the private key signs the challenge.
  5. The signed response is sent back to our server.

Thrive receives only the signed cryptographic assertion — never biometric data.

6. What if biometric data were used outside OS-controlled flows?

Any use of biometric data outside the secure, OS-controlled authentication flow would require:

  • Explicit runtime permission from the user (e.g., via mobile OS permission prompts).
  • Clear user consent under platform privacy policies.
  • Separate application-level biometric processing (which we do not implement).

The Thrive Platform architecture does not request, access, transmit, or process biometric data. Biometric verification occurs entirely within the device operating systemʼs secure authentication flow.

The Thrive Platform neither integrates with biometric APIs nor stores biometric artifacts. This can be verified through the absence of biometric permission requests.

7. Why are passkeys more secure than passwords?

Phishing Resistance

  • Authentication is cryptographically bound to Thrive.
  • A passkey created for Thrive cannot be used on another application and vice versa.

No Shared Secrets

There is no password to...

  • Steal via phishing
  • Capture via keylogging
  • Reuse across sites
  • Exfiltrate from our database

Replay Protection

Each login uses a unique cryptographic challenge.

Hardware Protection

Private keys are hardware-backed and non-exportable.

8. Can passkeys be exported or copied?

Typically no:

  • Private keys are marked as non-exportable.
  • They are protected by hardware security modules.
  • There is an exception for cloud-based key synchronisation, but this is secured and accessible only by the provider itself.

Our platform has no mechanism to extract or duplicate a private key as we never store or access the private key.

9. What happens if a device is lost?

Security protections remain intact:

  • The private key cannot be used without biometric or PIN unlock.
  • Users can revoke credentials on the Thrive platform if they still have access to an alternative passkey.
  • Alternatively, the account can be placed into recovery mode, which revokes all passkeys.
  • If cloud sync is enabled, users can restore passkeys on a new device after authenticating to their OS account.