ELI5: How Does a TPM Work?

We all know that passwords leave a lot to be desired. They are a hassle for everyone. Fortunately, passwordless authentication is coming. Removing passwords from the authentication equation will be a welcome sight for users and software developers.

You may have heard about passkeys, a standards-based solution that leverages biometrics and other technologies to make passwords obsolete. Most of the time, passkeys will leverage some type of biometrics to authenticate you to a given website or mobile application.

The great part of the whole solution is that secret information never leaves your device. Your biometrics information and passkeys are stored safely and securely on your phone or computer, unable to be accidentally shared or otherwise revealed to bad actors. Even if you lose your phone and a sophisticated hacker or other hostile entity gets a hold of it, they will not be able to pry that information from the bowels of your phone.

How is that possible? Because that secret information is stored in a chip called a Trusted Platform Module (TPM).

What Is a TPM?

A TPM is a very special chip, currently included in almost all new computers and phones, that is specifically designed to store your secrets, most notably passkeys and other private encryption artifacts. It is specifically designed to make it impossible to give up those secrets to anyone other than you.

TPMs use encryption, hashing, and other security measures to store and protect your secrets. The TPM chip itself is also specific to your computer or phone and is protected by an additional layer of hardware security. This layer of protection prevents attackers from accessing the sensitive information that is stored inside the TPM.

The TPM works in concert with the device’s operating system (Windows, iOS, OS X, Android, etc.) to do all kinds of cryptography-related things. However, what we are concerned with here is its ability to manage and protect private encryption keys — otherwise known as passkeys. When you ask for a passkey to be created, the TPM generates it, stores the secret, private key safely away without ever exposing it to anyone, and hands out the public key to the website or mobile application to use.

I have had a Dell laptop for several years running Windows 10, but when it came time to upgrade to Windows 11, it wouldn’t install. Why? Because Windows 11 requires the presence of a TPM, and my older laptop didn’t have it. Windows 11 needs the TPM to support Windows Hello and provide a much higher level of security for access to your computer.

How Does a TPM Keep Secrets?

The primary way TPMs work their magic is by isolating secrets away from everything and everyone, even the operating system. No entity ever sees the secrets stored by the TPM. This means that when a TPM is used to validate a signed data chunk, it can do so without revealing any secrets.  The TPM will perform the necessary calculations to verify the signature, and then the results are sent back to the requesting application. Again, no secrets are ever revealed in any way, shape, or form.

I keep using qualifiers like “basically” and “considered” in front of “impossible” because no one can predict the future, and no specification should ever be considered perfect. While many smart people have worked for many years to make sure TPMs are impregnable, one can never be 100% sure that there isn’t a bug, nor can one be sure that some computing breakthrough makes all that hard work moot.

Second, TPMs are literally soldered directly to a specific motherboard and given a unique, unalterable identifier, thus ensuring that each one — along with the chip’s given configuration — is uniquely identifiable and every action produced by a specific TPM is traceable to that TPM. Thus, you can know what specific device has provided credentials, and you can be sure that said device hasn’t been compromised. This ensures the integrity of the entire process.

Third, the TPM is designed to defend against brute-force attacks. A brute force attack is a process of simply trying, over and over, every possible key in the hopes that one of them will succeed. A TPM will shut itself down and accept no more queries if too many requests are submitted in a given period. But don’t worry; there is an option for recovery after a specific time has passed.

On top of all that is the fact that the TPM standards and specifications have been around — and thus battle-tested — for over twenty years. Everything about a TPM, including the source code, is publicly available. As noted above, that doesn’t promise impregnability, but twenty years is a long time in the technology world.

Bottom Line

The bottom line is that a TPM is well-designed, well-tested, and well-proven. For all intents and purposes, it is impregnable, doing the job of protecting the secrets entrusted to it. Given the inevitability of a passwordless future, TPMs will certainly be an integral part of all devices requiring authentication services for years to come. As a result, users can rest assured that the passwordless authentication process is safe, secure, and hassle-free.