Device-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey Authentication
Andre Büttner, Nils Gruschka
TL;DR
Passwords remain prevalent, but FIDO2 passkeys enable cross-device access via passkey providers, sparking security debates. The authors categorize passkey access levels (device-bound, synced, shared, exported) and map them to the Quest framework to compare usability, deployability, and security. They find that synced passkeys concentrate security risk in the provider and that device-bound passkeys offer stronger protection, though adoption may rely on syncing. The paper provides practical recommendations for users, providers, and relying parties to balance usability with security.
Abstract
With passkeys, the FIDO Alliance introduces the ability to sync FIDO2 credentials across a user's devices through passkey providers. This aims to mitigate user concerns about losing their devices and promotes the shift toward password-less authentication. As a consequence, many major online services have adopted passkeys. However, credential syncing has also created a debate among experts about their security guarantees. In this paper, we categorize the different access levels of passkeys to show how syncing credentials impacts their security and availability. Moreover, we use the established framework from Bonneau et al.'s Quest to Replace Passwords and apply it to different types of device-bound and synced passkeys. By this, we reveal relevant differences, particularly in their usability and security, and show that the security of synced passkeys is mainly concentrated in the passkey provider. We further provide practical recommendations for end users, passkey providers, and relying parties.