How many Passkeys can be stored on a Nitrokey?

Hello,
as far as I now I could store Passkeys on a Nitrokey. But I can’t find a info how many of them I can store. I think the number for Nitrokey 3 would be most relevant, but are there differences in storage to older Nitrokeys?

Hey @Anigma,

the only older Nitrokey that can store Passkeys is the Nitrokey FIDO2, which supports 10 Passkeys.
The Nitrokey 3 currently is also restricted to 10 Passkeys, but we are currently working on increasing this number.

The background for this is that Passkeys are in fact nothing new, they exists for quite a while within the FIDO2 standard - but mostly known as “discoverable credentials” and/or “Resident Keys”. Now that the “big players” move this topic forward (mostly from a marketing perspective, e.g., Android-support for FIDO2 tokens is still missing) and have given it a fancy new name, more services will support Passkeys and we will therefore also increase the number of available Passkeys that can be stored on the Nitrokey 3.

3 Likes

Hi @daringer @Anigma,

that’s a great question and I’m glad Nitrokey team is on it. @daringer what’s your estimate on how many keys you will be able to squeeze in?

How can i manage / delete credentials? I’m testing in a dev environment and now my nitrokey is full. The nitrokey app just manages OTP’s… not passkeys.

You could either use nitropy or your web browser to delete some entries.

1 Like


Nitokey app only let’s you mess around with OTP and passwords, not credentials.
In nitropy though, I was misled by only looking at nk3 options in nitropy menu, I have since had to look at fido2 options and can see credentials management there. Thank you

Hi @daringer,

the NK3 keys I just purchased (in june 2024, i. e. more than half a year after you wrote about your plans to increase this limit) still report a capacity of “about 10” resident keys.

With a limit of only 10 keys it doesn’t make much sense to use the NK3 for passkeys (which need to be “discoverable/resident” keys, right?).

1 Like

I use them extensively - I also don’t see how having “just” 10 available is reducing the sense to use them - can you explain how you come to this conclusion ? Frankly, I would have trouble listing 10 services using/allowing passkeys, but maybe I didn’t search extensively…

But apart from that: you are right - the fido L1 certification slowed our release process a lot recently. The changeset for a dynamic calculation of available slots is already there + various space improvements - hard to give an ETA for it - but it shouldn’t be too far ™

2 Likes

I just remember someone who said “640 kB RAM should be enough for everyone” :wink:
Seriously: companies and even media (think of heise.de) are promoting passkeys strongly.

To get started 10 entries would certainly be ok, but if everbody starts offering passkeys (some already forcing users to use either MFA or passkeys!) the number of entries required will soon be much higher. I think recent Yubikeys have 100 entries? I won’t reach that, but definitely much more than 10.

I’m not going to use Google’s or Facebook’s authentication services to login to other sites (something other people may not hesitate to do, which limits the number of passkeys they use). And I just moved my main working environment to GNU/Linux, where passkeys are not available in the OS. It would be great to be able to use Nitrokeys instead.

Therefore it’s good to hear that this improvement is still on your todo list :wink:

i have been using my Yubikey (having 25 slots) for the past 3 years and i checked that the number of residential/discoverable keys on my yubikey are just 5 . Passkeys have become popular in last 2-3 years but still very few of them use the true discoverable passkey method.
Most websites use non-disscoverable keys and use its as 2fa authentication mwethod… For some reason even google "passkey’ logins don’t use discoverable keys and require you to enter your email id first and authenticates with your security key as non-discoverable.

At first i also felt 10 entries would be less but with the actual passkey adoption very slow , 10 maybe just enough for another 2-3 years. Though more entries would still be a nice to have. Hopefully an update is worked out in meantime.

1 Like

Unfortunately I am very dependent on some kind of ETA, even if it is just a gut feeling. Depending on how much waiting time there will be I will need to resort to ordering a competing product for my company and if I do not have any idea about what time we are talking about, my good will is not enough to justify refraining from using passkeys. Can you give any rough time estimate?

1 Like

Hi,

we plan a test release the coming days, and a stable release the coming weeks. If no bigger issue comes up a stable release end of the month is a reasonable, but it might be a bit linger.

Depending if the Nitrokey 3 uses a nrf or lpc microcontroller, and on the overall usage 30 to 100 keys are reasonable. The memory is managed dynamically, so the overall usage matters.

Best regards and welcome to our forum!
Simon

2 Likes

Hi everyone! Nowadays, Nitrokey 3 still have space for only 10 passkeys?

Thanks!

If your Nitrokey only supports 10 Passkeys, you can update the firmware. The new firmware supports between 30 and 100 Passkeys depending on how much other keys you store on it (e.g. PGP-Keys).
The microcontroller used in the Nitrokey, also has an impact. Maybe @simon can tell you more about how to find out which microcontroller is used in your Nitrokey and which is used for the ones in the shop right now.

As far as I know, the limit has not been updated yet. But this is planned for the next firmware release.

I know “no one will ever need more than 64KB of RAM” and of course more is better. But what scenarios are you thinking of that would need 30 or more persistent passkeys? There are unlimited non-resident passkeys possible. Is it for freelance use and switching between different clients? I consider myself as FIDO2 power user and did not run into a limit, yet.

If there is a good use case, there is certainly space left on the device and as stated, there is already a plan to increase the limit. But thinking further, maybe something similar like a HSM DKEK could enable backups bound to a hardware token and the possibility to offload keys (controversial as some cherish that a key cannot and must not leave the token). Or similar to a password manager having “derived resident passkeys” together with the Nitrokey App.

When next firmware is released?

Early next year, probably January.