Contact salesSign inSign up

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Join us today!
Blog
/
Current article

Synced vs Device-Bound Passkeys: How User Convenience and Authentication Experiences Vary.

Published:
October 17, 2024
Last Updated:
October 22, 2024
Ben Rolfe
Synced vs Device-Bound Passkeys: How User Convenience and Authentication Experiences Vary.

Not all passkeys are the same. The two primary types are synced passkeys and device-bound passkeys. Each offers unique advantages and trade-offs that directly impact security, accessibility, and user experience. In this guide, we’ll explain the key differences between synced and device-bound passkeys to help you understand how user convenience and authentication experiences vary.

What Are Synced Passkeys?

Synced passkeys are designed to be stored in the cloud and accessible across multiple devices. When a user creates a passkey on one device, it’s securely synced through a cloud-based service, such as Apple’s iCloud Keychain, Google Password Manager for Android, or password managers like 1Password or Lastpass. This allows the user to log in to apps and websites from any device that is synced with their password manager without the need to re-create a passkey on each new device.

  • Cross-device convenience: Synced passkeys are accessible on all devices synced with their password manager, making the login process seamless across desktops, laptops, tablets, and smartphones.
  • Backup and recovery: Because the passkeys are stored in the cloud, users don’t need to worry about losing access if one of their devices is lost, damaged, or replaced.
  • Slightly Elevated Risk: In the unlikely event of a cloud service breach, there’s a theoretical risk that synced passkeys could be exposed. However, these services utilize robust encryption to protect passkeys, and authentication still requires a second factor—such as biometrics (something you are) or a passcode (something you know)—to decrypt and use them.

What Are Device-Bound Passkeys?

Device-bound passkeys, on the other hand, are stored locally on a specific device. These passkeys do not sync to other devices via the cloud and are unique to the device where they were created. For example, if you create a device bound passkey on your smartphone or security key like Yubikey, it remains bound to that device alone.

  • Increased security: Since passkeys are stored locally, they are never transmitted over the internet or stored in a cloud environment.
  • Complete control: Users have direct control over the storage and use of their passkeys without relying on third-party cloud services.
  • Lack of cross-device access: Because these passkeys are tied to a specific device, users can only log in from that device, which can be inconvenient if multiple devices are in use.
  • No backup or recovery: If the device with the passkey is lost or damaged, there’s no cloud backup, and access to the account could be permanently lost.

Key Differences Between Synced and Device-Bound Passkeys

What Happens if a Device with Passkeys Is Lost or Stolen?

Losing a device that holds your passkeys doesn’t mean your data is at risk. Passkeys are end-to-end encrypted, and without biometric verification (such as Face ID or Touch ID) or the device passcode, they cannot be accessed. This ensures that even if a device is lost or stolen, unauthorized individuals cannot decrypt the passkeys.

If you use synced passkeys through a service like iCloud Keychain, you have the option to remotely wipe the lost device using services such as Find My to ensure that all data on the device is erased. Android users using Google Password Manager can sign out of their Google account remotely.

Can Passkeys Be Copied or Synchronized?

For synced passkeys, yes—these are copied or synchronized across all your devices via secure cloud storage (iCloud or Google Password Manager).

However, device-bound passkeys cannot be copied or synchronized. They remain exclusive to the device where they were created, offering tighter security but less convenience.

How Can Users Recover an Account If the Passkey Has Been Deleted from their Cloud Password Manager?

If a passkey has been deleted from the cloud manager and there are no other forms of MFA on the account, recovering the account can be challenging. This situation emphasizes the critical importance of establishing additional factors for account recovery. However, it is important to note that an account is only as secure as the weakest factor. 

For organizations implementing passkeys, we recommend enforcing two additional forms of MFA for account recovery to enhance security and user convenience. This means that if a user loses or deletes their passkey, they will need to use two forms of MFA to recover their account. 

Alternatively, users could use recovery codes that they have created and downloaded. However, If a user loses their recovery codes, deletes their passkey, and has no additional factor set up, they may lose access to their account. In such cases, their only option may be to contact support for assistance. The support team may be able to help the user recover their account, depending on company policy, after strong proof of identity is provided.

For a Deeper Dive into NIST's Guidance on Syncable Passkeys, Check Out Authsignal's Two-Part Blog Series:

For the fastest way to implement adaptive MFA and passkeys to secure your entire authentication workflow (chain), learn more about integrating Authsignal with Auth0, AWS Cognito, Azure AD B2C, Duende IdentityServer, and more.

Talk to an expertDemo PasskeysView docs
Article Categories
Passkeys
Synced passkeys
Device-bound passkeys
Passkey recovery
You might also like
NIST's September 2024 Update to Password Guidelines: Improved User Experience.
Rather than focusing on complexity, the new guidelines emphasize usability, password length, and Password Blocklists, aiming to balance improved security and user-friendly practices.
NIST
How to Build a Secure Authentication Chain: Avoid Passkey Pitfalls and Enhance User Experience.
Learn how to build a secure authentication chain and avoid common passkey pitfalls. Discover key strategies to enhance security and user experience with passkeys and protect every stage of the authentication process.
Authentication Chain
No-code rules engine
Passkeys
Passwordless authentication
How to implement passkeys for a seamless E-commerce checkout experience.
In this guide, we’ll walk through how to use Authsignal’s email OTP authenticator and passkeys to create a seamless user experience for your e-commerce platform.
e-Commerce
Passkeys
Passwordless authentication
Implementation
Secure your customers’ accounts today with Authsignal.
Passkey demoCreate free account

Authsignal is multi-factor authentication (passwordless authentication) as a service. Focused on powering mid-market and enterprise businesses to rapidly deploy optimized good customer flows that enable a flexible and risk-based approach to authentication.

AICPA SOC
LinkedInTwitter
Features
Palm Biometrics
Passwordless Authentication
Passkeys
Multi-factor Authentication
WhatsApp OTP
No-code rules engine
Single view of the customer
Use Cases
Financial Services
Marketplace
FinTech
Crypto
Call Center
Integrations
AWS Cognito
Auth0
Azure AD B2C
Duende IdentityServer
NextAuth.js
Open ID Connect (OIDC)
Ruby on Rails
Supabase
Compare
Twilio vs AuthsignalAuth0 vs Authsignal
Resources
BlogDeveloper DocsSolutions MarketplaceKnowledge BaseFree Figma Mobile Passkeys TemplateFree Figma Desktop Passkeys TemplateFree Figma WebApp Passkeys TemplateAboutContact
What is
Passwordless Authentication
What is MFA (Multi-Factor Authentication)?
United States
+1 214 974-4877
Ireland
+353 12 676529
Australia
+61 387 715 810
New Zealand
+64 275 491 983
© 2024 Authsignal - All Rights Reserved
Terms of servicePrivacy policySecuritySystem statusCookies