Synchronized Passkeys Lift Usability, Lower Security

Once written to a device, most passkeys are considered “hardware bound,” which creates limitations on the backup and restoration of keys. The step of verifying the device and then writing or reading the keys from it is referred to as attestation.

The industry at large is moving toward a scenario where passkeys can—if permitted by the site and the user’s organization—automatically synchronize between a user’s devices, resulting in the same passkey replicated to numerous devices. Microsoft refers to this scenario as “syncable” credentials. Referred to in the industry as cross-device authentication (CDA), the ability to synchronize passkeys across a user’s own devices can significantly reduce the friction of adopting passkeys but also creates a security compromise. The attestation step must be omitted when issuing a new passkey or verifying an existing passkey in order for synchronization to work across more than one device.

Synchronization enables the fundamental security benefits of passkeys (no phishing, password guessing, spray attacks, etc.), but can allow passkeys to be compromised if the user can be tricked into approving synchronization to an unauthorized device or fails to secure and wipe a lost or stolen device. Organizations with highly regulated environments should not permit passkey synchronization and should work to limit the devices to which users can add passkeys.