On-device processing refers to the practice of performing sensitive operations, such as biometric authentication, key generation, and credential signing, locally on the user's device rather than on remote servers. Data stays on the device, under the holder's control.
The privacy principle
When processing happens on a server, data must be transmitted, stored, and handled by third parties. Each step creates potential for surveillance, breach, or misuse. On-device processing eliminates these risks by keeping sensitive information local.
Your fingerprint or face scan is never sent to a server. Your cryptographic keys are never transmitted. The wallet performs all sensitive operations within the phone's secure hardware, and only the results, such as cryptographic proofs, leave the device.
Secure enclaves and TEEs
Modern smartphones include specialized hardware-backed security components for secure processing.
Apple devices feature the Secure Enclave, an isolated processor with its own encrypted memory, which handles Face ID, Touch ID, and cryptographic key operations. Even if the main operating system is compromised, the Secure Enclave remains protected.
Android devices use StrongBox or similar Trusted Execution Environments (TEEs), isolated computing zones where sensitive operations occur with additional protections around private keys.
These secure elements generate and store cryptographic keys that cannot be extracted through normal interfaces. An attacker would need expensive lab-grade tools and even then would face multiple layers of tamper detection.
Biometric authentication
When you unlock your wallet with Face ID or fingerprint, that biometric check happens entirely on your device. The biometric template never leaves the phone, it's stored in the secure enclave and compared locally.
This means there's no server-side biometric database to breach. No one else has copies of your biometric data. The authentication simply produces a yes/no result that proves you're the authorized holder.
Device attestation
Secure hardware can also attest to its own integrity. When a wallet generates keys in the secure element, it can produce a cryptographic proof that those keys were created in genuine, uncompromised hardware, not in software that could be manipulated.
This device attestation provides issuers and verifiers with confidence that credentials are bound to real, secure devices, rather than simulated environments.
Credential operations
When you present a credential, the wallet uses your device key to sign the presentation. This signature confirms that the credential is being presented from the original device to which it was issued, not a copy.
Private key generation and signing operations occur within secure hardware, while other cryptographic operations, such as verification and protocol handling, typically occur in the operating system or application layer.
User experience
From the holder's perspective, on-device processing is invisible. You simply authenticate with your face or fingerprint, and the wallet handles the rest. The complexity of secure enclaves, key management, and cryptographic signatures is entirely hidden.
This transparency is essential. If users needed to understand the underlying security mechanisms, adoption would fail. On-device processing offers robust protection while maintaining a familiar and straightforward user experience.
Want to keep learning?
Subscribe to our blog.
