Skip to main content

Try Demo

Talk to Adoption Engineer

Whitepaper

1. Executive Overview

In today’s regulatory landscape, financial institutions, payment service providers, government entities, and other regulated organizations require absolute control over their authentication infrastructure and data. Corbado Connect’s Enterprise Passkey Export capability, available exclusively with Enterprise Private Cloud deployments, directly addresses critical requirements for vendor independence, regulatory compliance, and operational resilience mandated by frameworks such as the European Banking Authority (EBA) guidelines, North American outsourcing regulations (OCC, OSFI), and national payment network regulations. This Private Cloud feature leverages your single-tenant infrastructure to ensure complete sovereignty over authentication data while utilizing Corbado’s advanced passkey capabilities. By providing automated, secure, and fully portable authentication data exports, we eliminate vendor lock-in concerns and enable comprehensive business continuity planning, which are essential requirements for regulated entities operating in critical infrastructure sectors.

1.1 Private Cloud Enterprise Capabilities

  • Automated Daily Data Archival: Production-grade automated export processes execute daily, creating immutable authentication data archives in industry-standard formats
  • Enterprise-Grade Security Architecture: All exports are secured using AWS S3’s enterprise security features, including encryption at rest (AES-256) and in transit (TLS 1.3)
  • Management Console Integration: Executive dashboards and administrative interfaces provide controlled access to historical authentication data exports
  • Complete Data Portability: Full WebAuthn credential export enables seamless migration to alternative authentication providers or in-house systems
  • Vendor Independence Assurance: Comprehensive data export capabilities ensure your organization retains the ability to transition authentication providers without service disruption
Passkey Export List

Passkey Export List

1.2 Strategic Business Applications

The Enterprise Passkey Export capability addresses critical requirements across regulated industries:
  • Regulatory Audit Readiness: Maintain comprehensive authentication data archives to satisfy regulatory examination requirements from banking supervisors, financial regulators, and compliance auditors
  • Vendor Substitution Rights: Exercise contractual rights for vendor replacement without data loss, ensuring compliance with procurement regulations and vendor risk management policies
  • National Payment Network Resilience: Meet national infrastructure requirements for payment service providers, including data localization, sovereignty, and disaster recovery mandates
  • Business Continuity Planning: Implement vendor-independent authentication data backup strategies beyond Corbado’s existing disaster recovery infrastructure, enabling restoration without vendor support in extreme scenarios while maintaining alignment with Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
  • Multi-Jurisdictional Compliance: Address data residency requirements, cross-border data transfer regulations, and jurisdiction-specific authentication data retention policies
  • Exit Strategy Implementation: Execute pre-defined vendor transition plans with zero authentication data loss, maintaining service continuity during provider changes
  • Operational Risk Management: Mitigate single points of failure in authentication infrastructure through comprehensive data export and portability capabilities

1.3 Storage Architecture Options

Enterprise Private Cloud deployments provide multiple storage models to align with your organization’s data governance, compliance requirements, and operational preferences:

1.3.1 Standard Private Cloud: Corbado-Managed Dedicated Storage

The standard Enterprise Private Cloud implementation provides each customer with a dedicated S3 bucket within their single-tenant isolated Corbado environment. This approach delivers enterprise-grade security while minimizing operational overhead for your teams. Key Features:
  • Dedicated Storage: Your passkey exports are stored in an S3 bucket exclusively allocated to your organization within your dedicated Corbado installation
  • Management Console Access: Download URLs for exported files are readily available through the Corbado Management Console
  • Manual Download Capability: Authorized administrators can initiate downloads on-demand for compliance audits, migrations, or backup purposes
  • Secure Access: All downloads require authentication through the Management Console with role-based access controls
  • Data Retention: Standard 3-day retention with automated cleanup, configurable based on your requirements
This standard approach provides immediate value without requiring AWS infrastructure setup or cross-account configuration, making it ideal for organizations that prioritize simplicity while maintaining enterprise-grade security.
Amazon S3 configuration (Corbado account)

Amazon S3 configuration (Corbado account)

1.3.2 Advanced Private Cloud: Customer-Controlled Storage Infrastructure

For Private Cloud customers with specific data sovereignty or compliance requirements, passkey exports can be configured to deliver directly to your own AWS S3 storage infrastructure. This approach ensures authentication data resides entirely within your organization’s control while maintaining automated export delivery from your dedicated single-tenant Corbado environment. Security and Compliance Architecture:
  • Secure Access Control: Corbado accesses your storage using temporary, limited-scope credentials that you control and can revoke at any time
  • Data Ownership: All exported data is immediately owned by your organization upon delivery, with no retained access by Corbado
  • Encryption at Rest: Supports your organization’s encryption keys, ensuring only you can decrypt the exported authentication data
  • Audit Trail: All data transfers are logged and traceable for compliance reporting and security audits
  • Tenant Isolation: Each customer’s exports are cryptographically isolated using unique identifiers to prevent any cross-tenant data access
Amazon S3 configuration (own account)

Amazon S3 configuration (own account)

1.3.3 Private Cloud Enterprise Plus Addon: Custom Storage Solutions

For Private Cloud customers with the Enterprise Plus addon, Corbado enables additional storage customization options beyond standard cross-account S3 configurations:
  • Alternative Cloud Providers: Integration with Azure Blob Storage, Google Cloud Storage, or other enterprise storage platforms
  • On-Premises Delivery: Direct delivery to on-premises storage systems via secure channels (SFTP, AWS Storage Gateway, or dedicated connectivity)
  • Geographic Data Residency: Region-specific storage with configurable data sovereignty controls
  • Custom Retention Policies: Automated lifecycle management aligned with your organization’s data retention requirements
  • Multi-Region Replication: Automated replication to multiple storage locations for enhanced disaster recovery
HTTP endpoint configuration

HTTP endpoint configuration

Enterprise Passkey Export is available exclusively for Enterprise Private Cloud deployments. This feature is not available for Enterprise Public Cloud customers. Standard Private Cloud contracts include Corbado-managed dedicated storage with Management Console access. Advanced configurations with customer-controlled S3 buckets are available for Private Cloud customers with specific compliance requirements. Custom storage solutions beyond AWS S3 are available through the Enterprise Plus addon, which is only available with Private Cloud deployments.

2. Technical Specifications: Export Data Schema

2.1 Data Format and Compliance Standards

Corbado Connect delivers authentication data exports in a standardized CSV format, ensuring compatibility with enterprise data management systems, compliance reporting tools, and authentication infrastructure platforms. This format has been specifically designed to meet audit trail requirements, facilitate vendor transitions, and support comprehensive disaster recovery scenarios. Each exported file contains a complete snapshot of your organization’s passkey credentials, with every row representing a unique WebAuthn credential including all cryptographic material and metadata required for authentication system portability. The export format adheres to industry standards including:
  • W3C WebAuthn Specification compliance for credential data representation
  • RFC 4648 Section 5 encoding standards for cryptographic materials
  • ISO 8601 timestamp formatting for audit trail compatibility
  • CSV RFC 4180 formatting for maximum interoperability

2.2 Authentication Data Field Specifications

The following table provides comprehensive documentation of each data field included in the export, essential for your technical teams, compliance officers, and audit personnel:
FieldDescriptionData Type & EncodingCompliance & Audit Relevance
userIdCorbado-assigned unique user identifierString (UUID v4)Internal audit trail correlation
externalUserIdOrganization-specific user identifierStringPrimary key for enterprise identity systems integration
credentialIdWebAuthn credential identifierBase64URL with padding (RFC 4648 §5)Unique credential tracking for compliance reporting
publicKeyCOSE-encoded public key for credential verificationBase64URL with padding (RFC 4648 §5)Cryptographic material for authentication validation
authenticatorSignCountSignature counter for replay protectionInteger (32-bit unsigned)Security audit and anomaly detection
authenticatorAaguidAuthenticator Attestation GUIDUUID format (RFC 4122)Device identification for risk assessment
authenticatorAttachmentPlatform vs. cross-platform indicatorEnum: platform | cross-platformDevice binding compliance verification
backupEligibleCloud backup capability indicatorBooleanDisaster recovery planning metric
backupStateCurrent backup synchronization statusBooleanBusiness continuity assessment
transportsSupported authentication transport protocolsSemicolon-delimited (e.g., usb;nfc;ble;internal)Multi-factor authentication compliance
attestationFormatWebAuthn attestation statement formatString (e.g., packed, fido-u2f, none)Authenticator trust evaluation
createdCredential registration timestampISO 8601 (e.g., 2024-01-15T10:30:00.000Z)Audit trail and retention policy enforcement
statusCredential lifecycle statusEnum: active | suspended | revokedAccess control and compliance state
All cryptographic materials are exported in their complete form, ensuring zero data loss during vendor transitions. The Base64URL encoding with padding ensures compatibility with all major authentication frameworks and maintains the integrity of cryptographic signatures required for WebAuthn authentication flows.

3. Enterprise Integration and Migration Pathways

3.1 Vendor Transition and Business Continuity Implementation

The Enterprise Passkey Export capability has been architected to support seamless authentication provider transitions, ensuring zero disruption to your organization’s authentication services during vendor migration scenarios. Whether executing a planned vendor transition as part of strategic sourcing initiatives or responding to business continuity events, the exported authentication data provides complete portability across authentication platforms. Our export format ensures compatibility with enterprise-grade authentication systems, enabling your organization to:
  • Execute vendor transitions within defined maintenance windows
  • Maintain authentication service availability during provider migrations
  • Preserve user authentication history for compliance and audit purposes
  • Implement multi-vendor authentication strategies for risk mitigation

3.2 Enterprise Authentication Platform Compatibility

The exported authentication data maintains full compatibility with industry-leading WebAuthn implementations, ensuring seamless integration with your existing or target authentication infrastructure:

3.2.1 Enterprise Development Frameworks

  • JavaScript/TypeScript: SimpleWebAuthn - Production-ready WebAuthn implementation for Node.js and browser environments
  • Python: py_webauthn - Enterprise Python library supporting Django, Flask, and FastAPI integrations
  • Go: go-webauthn/webauthn - High-performance implementation for microservices architectures
  • Java: webauthn4j, Yubico Java WebAuthn Server - Enterprise Java solutions for Spring Boot and Jakarta EE
  • C#/.NET: Fido2NetLib - Microsoft-ecosystem compatible library for .NET Core and Azure deployments
  • PHP: lbuchs/WebAuthn - Production-grade PHP implementation for Laravel and Symfony frameworks

3.3 Reference Implementation: Migration Pattern

To demonstrate the practical application of our data portability solution, we provide a reference implementation for importing exported passkey credentials into the industry-standard SimpleWebAuthn library. This implementation illustrates the straightforward nature of credential migration, enabling organizations to rapidly prototype and validate their authentication migration strategies. The following code can be directly integrated into the official SimpleWebAuthn example repository to establish a functional migration pathway. 
function loadCredentialsFromCSV(): void {
  try {
    const csvPath = path.join(__dirname, '2025-09-15.csv');
    const csvContent = fs.readFileSync(csvPath, 'utf-8');

    const records = parse(csvContent, {
      columns: true,
      skip_empty_lines: true,
    }) as CSVRecord[];

    for (const record of records) {
      if (record.status === 'active') {
        // Parse base64url encoded fields
        const credentialId = Buffer.from(record.credentialId, 'base64url');
        const publicKey = Buffer.from(record.publicKey, 'base64url');

        // Parse transports
        const transports = record.transports.split(';').map((t: string) => t.trim()) as AuthenticatorTransport[];

        const credential: WebAuthnCredential = {
          id: credentialId.toString('base64url'),
          publicKey: publicKey,
          counter: parseInt(record.authenticatorSignCount, 10),
          transports: transports,
        };

        // Add credential to the default user
        const user = inMemoryUserDB[loggedInUserId];
        if (user) {
          // Check if credential already exists by comparing credential IDs
          const existingCred = user.credentials.find(cred =>
            cred.id === credential.id
          );

          if (!existingCred) {
            user.credentials.push(credential);
            console.log(`Loaded credential from CSV: ${record.credentialId}`);
          }
        }
      }
    }

    console.log(`Loaded ${inMemoryUserDB[loggedInUserId].credentials.length} credentials from CSV`);
  } catch (error) {
    console.warn('Could not load credentials from CSV:', error);
  }
}
This reference implementation demonstrates key migration capabilities:
  • Credential Filtering: Processes only active credentials to maintain authentication system integrity
  • Cryptographic Material Handling: Properly decodes Base64URL-encoded credential IDs and public keys per WebAuthn specifications
  • Transport Protocol Parsing: Maintains multi-factor authentication compatibility through transport method preservation
  • Idempotent Import Logic: Implements duplicate detection to ensure safe re-execution during migration testing
  • Operational Visibility: Provides console output for migration validation and troubleshooting

4. Checksum Verification and Data Integrity

4.1 Enterprise-Grade Data Integrity Controls

Corbado’s Enterprise Passkey Export implements rigorous data integrity controls to ensure the authenticity and completeness of exported authentication data. Each export file is cryptographically verified using industry-standard checksum algorithms, providing your organization with independently verifiable proof that exported data remains unaltered during transmission and storage. The checksum verification system addresses critical requirements for regulated industries:
  • Regulatory Compliance: Satisfies data integrity requirements for financial services, healthcare, and government sectors
  • Audit Trail Validation: Provides cryptographic proof of data integrity for compliance auditors and security teams
  • Tamper Detection: Enables immediate identification of any unauthorized modifications to exported authentication data
  • Chain of Custody: Establishes verifiable chain of custody for authentication data from export to import

4.2 CRC64NVME Checksum Implementation

To ensure performance at enterprise scale while maintaining cryptographic integrity, Corbado implements the CRC64NVME checksum algorithm for all passkey exports. This algorithm is specifically designed for high-performance verification of large datasets, making it ideal for organizations with substantial user bases requiring millions of passkey credentials.

4.3 Verification Procedure and Implementation

For organizations requiring independent verification of export integrity, Corbado provides a reference implementation written in Python using the AWS CRT library. This implementation enables your security and compliance teams to validate the integrity of exported files without relying on Corbado’s internal verification systems. 
"""
Compute CRC64NVME checksum of a file using AWS CRT library.

This uses the official AWS CRT implementation for CRC64NVME checksums,
which matches the S3 `x-amz-checksum-crc64-nvme`/`ChecksumCRC64NVME` value.
"""

from awscrt import checksums
import base64
import sys
import os

def main():
    if len(sys.argv) != 2:
        print("Usage: python3 crc64nvme.py <file>", file=sys.stderr)
        return 1

    filepath = sys.argv[1]
    if not os.path.isfile(filepath):
        print(f"Error: '{filepath}' is not a file", file=sys.stderr)
        return 1

    with open(filepath, 'rb') as f:
        file_data = f.read()

    checksum = checksums.crc64nvme(file_data)
    checksum_bytes = checksum.to_bytes(8, byteorder='big')
    checksum_base64 = base64.b64encode(checksum_bytes).decode('ascii')

    print(checksum_base64)

    return 0

if __name__ == "__main__":
    sys.exit(main())
To verify the checksum of an export file, run the following commands: 
# Create isolated Python virtual environment
python3 -m venv checksum-verification
source checksum-verification/bin/activate

# Install AWS CRT library for official CRC64NVME implementation
pip3 install awscrt

# Verify export file integrity
python3 crc64nvme.py /path/to/export/file.csv.gz
=> 5yuiJSxKKnU=
The generated Base64-encoded checksum can be compared with the value displayed in the Corbado Management Console to confirm data integrity. For automated verification workflows, this process can be integrated into your organization’s CI/CD pipelines or security automation frameworks.
I