From f2fababc2b1801940ea455976f3c7969756d8a47 Mon Sep 17 00:00:00 2001
From: Yash Kaushik <yash005kaushik@gmail.com>
Date: Thu, 5 Mar 2026 16:54:48 +0530
Subject: [PATCH 1/3] Improve guidance for passkey implementations in
 Authentication Cheat Sheet

---
 cheatsheets/Authentication_Cheat_Sheet.md | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/cheatsheets/Authentication_Cheat_Sheet.md b/cheatsheets/Authentication_Cheat_Sheet.md
index 96045cdee6..fed142e463 100644
--- a/cheatsheets/Authentication_Cheat_Sheet.md
+++ b/cheatsheets/Authentication_Cheat_Sheet.md
@@ -341,7 +341,12 @@ UAF takes advantage of existing security technologies present on devices for aut
 
 U2F augments password-based authentication using a hardware token (typically USB) that stores cryptographic authentication keys and uses them for signing. The user can use the same token as a second factor for multiple applications. U2F works with web applications. It provides **protection against phishing** by using the URL of the website to look up the stored authentication key.
 
-**FIDO2**: FIDO2 and WebAuthn, encompassing previous standards (UAF/U2F), form the foundation of modern **Passkeys** technology. Passkeys enable users to securely log in using local user verification (such as biometrics or device PINs) and often supporting cloud synchronization across devices. This technology is widely supported by major platforms. (Windows Hello/Mac Touch ID)
+**FIDO2**: FIDO2 and WebAuthn, encompassing previous standards (UAF/U2F), form the foundation of modern **Passkeys** technology. Passkeys enable users to securely log in using local user verification (such as biometrics or device PINs) and often supporting cloud synchronization across devices. This technology is widely supported by major platforms (Windows Hello/Mac Touch ID).
+
+Developers implementing passkeys should rely on well-maintained WebAuthn libraries or platform APIs instead of attempting to implement authentication logic manually. Using mature libraries helps ensure correct handling of cryptographic operations, token validation, and browser compatibility across platforms.
+
+See also: [Web Authentication API (WebAuthn)](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API).
+
 
 ## Password Managers
 

From 49416732f8efd1ee0f50fe89840a4d84242b1e9a Mon Sep 17 00:00:00 2001
From: Yash Kaushik <yash005kaushik@gmail.com>
Date: Mon, 9 Mar 2026 22:18:03 +0530
Subject: [PATCH 2/3] Fix markdownlint errors

---
 cheatsheets/Authentication_Cheat_Sheet.md | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/cheatsheets/Authentication_Cheat_Sheet.md b/cheatsheets/Authentication_Cheat_Sheet.md
index fed142e463..6c4fd45686 100644
--- a/cheatsheets/Authentication_Cheat_Sheet.md
+++ b/cheatsheets/Authentication_Cheat_Sheet.md
@@ -245,11 +245,11 @@ Error disclosure can also be used as a discrepancy factor, consult the [error ha
 
 There are a number of different types of automated attacks that attackers can use to try and compromise user accounts. The most common types are listed below:
 
-| Attack Type | Description |
-|-------------|-------------|
-| Brute Force | Testing multiple passwords from a dictionary or other source against a single account. |
-| Credential Stuffing | Testing username/password pairs obtained from the breach of another site. |
-| Password Spraying | Testing a single weak password against a large number of different accounts.|
+| Attack Type         | Description                                                                                      |
+|---------------------|--------------------------------------------------------------------------------------------------|
+| Brute Force         | Testing multiple passwords from a dictionary or other source against a single account.           |
+| Credential Stuffing | Testing username/password pairs obtained from the breach of another site.                        |
+| Password Spraying   | Testing a single weak password against a large number of different accounts.                     |
 
 Different protection mechanisms can be implemented to protect against these attacks. In many cases, these defenses do not provide complete protection, but when a number of them are implemented in a defense-in-depth approach, a reasonable level of protection can be achieved.
 
@@ -347,7 +347,6 @@ Developers implementing passkeys should rely on well-maintained WebAuthn librari
 
 See also: [Web Authentication API (WebAuthn)](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API).
 
-
 ## Password Managers
 
 Password managers are programs, browser plugins, or web services that automate the management of a large quantity of different credentials. Most password managers have functionality to allow users to easily use them on websites, either:

From 171e66fa3478c6cf70274458876ea2b8a8d257f4 Mon Sep 17 00:00:00 2001
From: Yash Kaushik <yash005kaushik@gmail.com>
Date: Mon, 16 Mar 2026 23:25:37 +0530
Subject: [PATCH 3/3] Add explanation of hardware-backed key storage for
 passkeys (TPM, Secure Enclave, Android Keystore)

---
 cheatsheets/Authentication_Cheat_Sheet.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/cheatsheets/Authentication_Cheat_Sheet.md b/cheatsheets/Authentication_Cheat_Sheet.md
index 6c4fd45686..d206337246 100644
--- a/cheatsheets/Authentication_Cheat_Sheet.md
+++ b/cheatsheets/Authentication_Cheat_Sheet.md
@@ -341,11 +341,13 @@ UAF takes advantage of existing security technologies present on devices for aut
 
 U2F augments password-based authentication using a hardware token (typically USB) that stores cryptographic authentication keys and uses them for signing. The user can use the same token as a second factor for multiple applications. U2F works with web applications. It provides **protection against phishing** by using the URL of the website to look up the stored authentication key.
 
-**FIDO2**: FIDO2 and WebAuthn, encompassing previous standards (UAF/U2F), form the foundation of modern **Passkeys** technology. Passkeys enable users to securely log in using local user verification (such as biometrics or device PINs) and often supporting cloud synchronization across devices. This technology is widely supported by major platforms (Windows Hello/Mac Touch ID).
+**FIDO2**: FIDO2 and WebAuthn, encompassing previous standards (UAF/U2F), form the foundation of modern **Passkeys** technology. Passkeys enable users to securely log in using local user verification (such as biometrics or device PINs), often with credential synchronization across devices.
 
-Developers implementing passkeys should rely on well-maintained WebAuthn libraries or platform APIs instead of attempting to implement authentication logic manually. Using mature libraries helps ensure correct handling of cryptographic operations, token validation, and browser compatibility across platforms.
+#### Hardware-backed Key Storage
 
-See also: [Web Authentication API (WebAuthn)](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API).
+For platform passkeys, the private key is generated and stored by the operating system's secure key manager. Modern platforms typically provide hardware-backed protection for these keys, such as the Trusted Platform Module (TPM) on Windows, Secure Enclave on Apple devices, or the Android Keystore/StrongBox on Android.
+
+The private key is non-exportable and remains on the user’s device. During authentication, the platform security module signs a server challenge using this key. This hardware-backed protection of private keys is a core security property of passkeys and WebAuthn.
 
 ## Password Managers