Synced vs Device-Bound Passkeys: How User Convenience and Authentication Experiences Vary

Not all passkeys are created equal. The two primary types are synced passkeys and device-bound passkeys, and each offers unique advantages and trade-offs that directly impact security, accessibility, and user experience.

In this guide, we'll explore the key differences between synced and device-bound passkeys to help you understand how user convenience and authentication experiences vary between these approaches.

‍

What are synced passkeys?

Synced passkeys are designed to be stored in the cloud and accessible across multiple devices. When you create a passkey on one device, it's securely synced through a cloud-based service like Apple's iCloud Keychain, Google Password Manager for Android, or third-party password managers like 1Password or LastPass. This allows you to log in to apps and websites from any synced device without needing to recreate a passkey on each new device.

‍

‍

Key benefits

Cross-device convenience: Synced passkeys are accessible on all devices connected to your password manager, making the login process seamless across desktops, laptops, tablets, and smartphones.

Backup and recovery: Since the passkeys are stored in the cloud, you don't need to worry about losing access if one of your devices is lost, damaged, or replaced.

Potential considerations

Slightly elevated risk: In the unlikely event of a cloud service breach, there's a theoretical risk that synced passkeys could be exposed. However, these services use robust encryption to protect passkeys, and authentication still requires a second factor (such as biometrics or a passcode) to decrypt and use them.

‍

What are device-bound passkeys?

Device-bound passkeys are stored locally on a specific device and don't sync to other devices via the cloud. These passkeys are unique to the device where they were created. For example, if you create a device-bound passkey on your smartphone or security key like a YubiKey, it remains exclusively on that device.

‍

‍

‍

Key benefits

Enhanced security: Since passkeys are stored locally, they're never transmitted over the internet or stored in a cloud environment, reducing potential attack vectors.

Complete control: You have direct control over the storage and use of your passkeys without relying on third-party cloud services.

Potential limitations

Limited cross-device access: Since these passkeys are tied to a specific device, you can only log in from that device, which can be inconvenient if you use multiple devices regularly.

No automatic backup or recovery: If the device with the passkey is lost or damaged, there's no cloud backup, and access to the account could be permanently lost without proper recovery measures in place.

‍

What happens if a device with passkeys is lost or stolen?

Losing a device that holds your passkeys doesn't automatically put your data at risk. Passkeys are end-to-end encrypted, and without biometric verification (such as Face ID or Touch ID) or the device passcode, they can't be accessed. This ensures that even if a device is lost or stolen, unauthorized individuals can't decrypt the passkeys.

For synced passkeys

If you're using synced passkeys through a service like iCloud Keychain, you can remotely wipe the lost device using services like Find My to ensure all data is erased. Android users with Google Password Manager can sign out of their Google account remotely.

For device-bound passkeys

While the passkeys remain encrypted and inaccessible, you'll need to rely on alternative recovery methods since the passkeys can't be accessed from other devices.

‍

Can passkeys be copied or synchronized?

Synced passkeys: Yes, these are automatically copied and synchronized across all your devices via secure cloud storage (iCloud, Google password manager, or third-party password managers).

Device-bound passkeys: No, they can't be copied or synchronized. They remain exclusive to the device where they were created, offering tighter security but less convenience.

‍

How can users recover an account if the passkey has been deleted from their cloud password manager?

If a passkey has been deleted from the cloud manager and there are no other forms of MFA on the account, recovering the account can be challenging. This situation emphasizes the critical importance of establishing additional factors for account recovery. However, it is important to note that an account is only as secure as the weakest factor.

For organizations implementing passkeys, we recommend enforcing two additional forms of MFA for account recovery to enhance security and user convenience. This means that if a user loses or deletes their passkey, they will need to use two forms of MFA to recover their account.

Alternatively, users could use recovery codes that they have created and downloaded. However, If a user loses their recovery codes, deletes their passkey, and has no additional factor set up, they may lose access to their account. In such cases, their only option may be to contact support for assistance. The support team may be able to help the user recover their account, depending on company policy, after strong proof of identity is provided.

‍

Recent NIST updates on passkeys

In July 2025, NIST released the final version of SP 800-63-4, which officially recognizes syncable passkeys for AAL2 compliance. The updated guidelines clarify that when configured and secured correctly, synchronization of cryptographic material across cloud services is allowed, removing previous restrictions on synced authenticators. The new standards also mandate that AAL2 implementations must offer phishing-resistant multi-factor authentication options, making passkeys even more valuable for organizations seeking compliance.

For more details on these updates, see the NIST SP 800-63-4 digital identity guidelines.

For the fastest way to implement adaptive MFA and passkeys to secure your entire authentication workflow, learn more about integrating Authsignal with Auth0, AWS Cognito, Azure AD B2C, Duende IdentityServer, and more.