What is a Trusted Platform Module (TPM), and what role does it play in WebAuthn?
A TPM is a dedicated hardware security chip on the motherboard that performs cryptographic operations and guards keys — in WebAuthn it acts as the platform authenticator that generates and stores the private key.
* The TPM seals the key in hardware and signs on-chip. *
A TPM provides hardware-based security functions:
- generates and stores cryptographic keys inside the chip, so the private key is never exposed to the operating system or applications;
- performs crypto operations (key generation, signing) on-chip;
- resists software attacks because the secret material physically can't be read out.
In WebAuthn this makes the TPM an ideal authenticator: it creates the key pair at registration, keeps the private key sealed in hardware, and signs login challenges. Even malware with full OS access can't extract the key — it can only ask the TPM to sign (and only after the user unlocks it).
Tip: A TPM is also what underpins features like BitLocker disk encryption and Windows 11's hardware requirement — it's a general-purpose hardware root of trust, not just for WebAuthn.
Go deeper:
Trusted Platform Module (Wikipedia) — the secure cryptoprocessor (ISO/IEC 11889): on-chip key generation/storage and root of trust.