LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is a Trusted Platform Module (TPM), and what role does it play in WebAuthn?

A TPM is a dedicated hardware security chip on the motherboard that performs cryptographic operations and guards keys — in WebAuthn it acts as the platform authenticator that generates and stores the private key.

The TPM seals the private key and signs on-chip; the OS (and malware) can only ask it to sign.

* The TPM seals the key in hardware and signs on-chip. *

A TPM provides hardware-based security functions:

  • generates and stores cryptographic keys inside the chip, so the private key is never exposed to the operating system or applications;
  • performs crypto operations (key generation, signing) on-chip;
  • resists software attacks because the secret material physically can't be read out.

In WebAuthn this makes the TPM an ideal authenticator: it creates the key pair at registration, keeps the private key sealed in hardware, and signs login challenges. Even malware with full OS access can't extract the key — it can only ask the TPM to sign (and only after the user unlocks it).

Tip: A TPM is also what underpins features like BitLocker disk encryption and Windows 11's hardware requirement — it's a general-purpose hardware root of trust, not just for WebAuthn.

Go deeper:

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: Jul 05, 2026