ELI5: How does a TPM work?

Nick Hodges
4 min readDec 12, 2022

We all know that passwords leave a lot to be desired. They are a hassle for everyone. Fortunately, passwordless authentication is coming. Removing passwords from the authentication equation will be a welcome sight for users and software developers.

You may have heard about passkeys, a standards-based solution that leverages biometrics and other technologies to make passwords obsolete. Most of the time, passkeys will leverage some type of biometrics to authenticate you to a given website or mobile application.

You can read all about the standards used for passwordless authentication, how it works, and why it is a superior solution to passwords in other posts here on our blog.

The great part of the whole solution is that secret information never leaves your device. Your biometrics information and passkeys are stored safely and securely on your phone or computer, unable to be accidentally shared or otherwise revealed to bad actors. Even if you lose your phone and a sophisticated hacker or other hostile entity gets a hold of it, they will not be able to pry that information from the bowels of your phone.

How is that possible? Because that secret information is stored in a chip called a Trusted Platform Module (TPM).

What is a TPM?

A TPM is a very special chip, currently included in almost all new computers and phones, that is specifically designed to store your secrets, most notably passkeys and other private encryption artifacts. It is specifically designed to make it impossible to give up those secrets to anyone other than you.

TPMs use encryption, hashing, and other security measures to store and protect your secrets. The TPM chip itself is also specific to your computer or phone and is protected by an additional layer of hardware security. This layer of protection prevents attackers from accessing the sensitive information that is stored inside the TPM.

The TPM works in concert with the device’s operating system (Windows, iOS, OS X, Android, etc.) to do all kinds of cryptography-related things. However, what we are concerned with here is its ability to manage and protect private encryption keys — otherwise known as passkeys. When you ask for a passkey to be created, the TPM generates it…

--

--