Not all passkeys are the same. The two primary types are synced passkeys and device-bound passkeys. Each offers unique advantages and trade-offs that directly impact security, accessibility, and user experience. In this guide, we’ll explain the key differences between synced and device-bound passkeys to help you understand how user convenience and authentication experiences vary.
What Are Synced Passkeys?
Synced passkeys are designed to be stored in the cloud and accessible across multiple devices. When a user creates a passkey on one device, it’s securely synced through a cloud-based service, such as Apple’s iCloud Keychain, Google Password Manager for Android, or password managers like 1Password or Lastpass. This allows the user to log in to apps and websites from any device that is synced with their password manager without the need to re-create a passkey on each new device.
- Cross-device convenience: Synced passkeys are accessible on all devices synced with their password manager, making the login process seamless across desktops, laptops, tablets, and smartphones.
- Backup and recovery: Because the passkeys are stored in the cloud, users don’t need to worry about losing access if one of their devices is lost, damaged, or replaced.
- Slightly Elevated Risk: In the unlikely event of a cloud service breach, there’s a theoretical risk that synced passkeys could be exposed. However, these services utilize robust encryption to protect passkeys, and authentication still requires a second factor—such as biometrics (something you are) or a passcode (something you know)—to decrypt and use them.
What Are Device-Bound Passkeys?
Device-bound passkeys, on the other hand, are stored locally on a specific device. These passkeys do not sync to other devices via the cloud and are unique to the device where they were created. For example, if you create a device bound passkey on your smartphone or security key like Yubikey, it remains bound to that device alone.
- Increased security: Since passkeys are stored locally, they are never transmitted over the internet or stored in a cloud environment.
- Complete control: Users have direct control over the storage and use of their passkeys without relying on third-party cloud services.
- Lack of cross-device access: Because these passkeys are tied to a specific device, users can only log in from that device, which can be inconvenient if multiple devices are in use.
- No backup or recovery: If the device with the passkey is lost or damaged, there’s no cloud backup, and access to the account could be permanently lost.
Key Differences Between Synced and Device-Bound Passkeys
What Happens if a Device with Passkeys Is Lost or Stolen?
Losing a device that holds your passkeys doesn’t mean your data is at risk. Passkeys are end-to-end encrypted, and without biometric verification (such as Face ID or Touch ID) or the device passcode, they cannot be accessed. This ensures that even if a device is lost or stolen, unauthorized individuals cannot decrypt the passkeys.
If you use synced passkeys through a service like iCloud Keychain, you have the option to remotely wipe the lost device using services such as Find My to ensure that all data on the device is erased. Android users using Google Password Manager can sign out of their Google account remotely.
Can Passkeys Be Copied or Synchronized?
For synced passkeys, yes—these are copied or synchronized across all your devices via secure cloud storage (iCloud or Google Password Manager).
However, device-bound passkeys cannot be copied or synchronized. They remain exclusive to the device where they were created, offering tighter security but less convenience.
How Can Users Recover an Account If the Passkey Has Been Deleted from their Cloud Password Manager?
If a passkey has been deleted from the cloud manager and there are no other forms of MFA on the account, recovering the account can be challenging. This situation emphasizes the critical importance of establishing additional factors for account recovery. However, it is important to note that an account is only as secure as the weakest factor.
For organizations implementing passkeys, we recommend enforcing two additional forms of MFA for account recovery to enhance security and user convenience. This means that if a user loses or deletes their passkey, they will need to use two forms of MFA to recover their account.
Alternatively, users could use recovery codes that they have created and downloaded. However, If a user loses their recovery codes, deletes their passkey, and has no additional factor set up, they may lose access to their account. In such cases, their only option may be to contact support for assistance. The support team may be able to help the user recover their account, depending on company policy, after strong proof of identity is provided.
For a Deeper Dive into NIST's Guidance on Syncable Passkeys, Check Out Authsignal's Two-Part Blog Series:
- Part 1: NIST Supplementary Guidelines for Passkeys - April 2024
- Part 2: NIST Supplementary Guidelines for Passkeys - Implementation Considerations
For the fastest way to implement adaptive MFA and passkeys to secure your entire authentication workflow (chain), learn more about integrating Authsignal with Auth0, AWS Cognito, Azure AD B2C, Duende IdentityServer, and more.