FIDO2 knows two types of keys:
-
Discoverable credentials (previously known as resident keys): These keys store actual key material and metadata on the hardware chip. These are the keys you can actually view and manage in the storage of your chip. These keys also power single-factor / Passkey logins, as the relying party can determine who is trying to log in because the chip allows for credential metadata discovery.
-
Server-side credentials (also known as non-discoverable credentials): These keys are cryptographically derived from a fixed secret inside the chip. The entire key materials and metadata is encrypted in the key handle, which is stored, managed, and supplied for authentication by the relying party, i.e. the server you are authenticating with. No storage is used for these keys on the chip. These types of keys can only be used for second-factor logins as the relying party already has to know who is trying to log in to send the correct key handle. This modality is also how U2F (FIDO1) works exclusively.