Synced or Device-Bound: The Passkey Question Your IT Team Just Inherited

If you have signed into Google, Microsoft, or your bank recently, you have probably been nudged to create a passkey. Maybe you did, with a fingerprint or a face scan, and it felt almost suspiciously easy. So what did you actually create?

Microsoft recently introduced synced passkeys in Entra ID. The name sounds like routine product news, but the practical consequences deserve attention.

Passkeys are replacing passwords across the services you use every day, and that is good news. The catch is that "passkey" covers two quite different things. At home the difference rarely matters. At work it can matter a lot.

A password is a secret you share. A passkey is a secret you never share.

The fundamental weakness of a password is that you have to send it. Your secret travels to the service at every login, and anything that travels can be stolen: phished by a fake login page, intercepted, guessed, or leaked when the service itself is breached. Every system that stores or transmits your password becomes part of your security, whether you like it or not.

A passkey works the other way around. When you create one, your device generates a mathematically linked pair of keys. The service stores the public key. The private key stays with you and is never sent anywhere. Instead of telling the service a secret, your device proves it holds the key by signing a one-time cryptographic challenge.

This design has two consequences. First, a breach of the service yields nothing useful, because attackers only find public keys, which cannot be used to log in. Second, a passkey is bound to the real service's web address, so on a convincing look-alike phishing site it simply will not respond. Your alertness that day is irrelevant. This is what "phishing-resistant" means, and no password, SMS code, or authenticator app can honestly claim it.

Where does the private key actually live?

All of the above rests on one assumption: the private key stays private. So the most important question about any passkey is where that key is stored and who can obtain a copy. There are two answers, and they define the two families of passkeys.

Synced passkeys live in a cloud account. Create a passkey on your iPhone and it does not stay only on your iPhone. It is encrypted and copied through Apple's iCloud Keychain to your iPad, your Mac, and any device you sign into that Apple account on in the future. Google Password Manager works the same way, as do password managers like 1Password and Bitwarden. The convenience is real: lose your phone, buy a new one, sign in, and your passkeys are simply there.

Device-bound passkeys live in one physical place, typically a hardware security key or a security chip inside a single device, and are designed so the private key cannot be copied out. Not synced, not backed up, not exported. To log in, you must be holding the device. Lose it and that credential is gone, which is why you register a backup key.

Notice what the synced model really means. The safety of your passkey now equals the safety of the cloud account that carries it. Your Apple ID password, its recovery process, and every device signed into that account have quietly become part of your login security. For your personal Netflix account this trade is excellent, and a synced passkey still beats a password by a mile.

Raise the stakes and the same property looks different. Picture an employee who signs into a personal iCloud account on a work laptop and creates a passkey for the company's systems. That work credential now syncs to a personal phone, the family iPad, and whatever device gets authorized next year. The company's login security depends on a personal cloud account it cannot see, on devices it has never met. The cryptography is identical in both cases. The custody is not.

The takeaway

Both kinds of passkey are phishing-resistant and both are a major upgrade over passwords. They differ not in strength of encryption but in who holds the key and who can get a copy. Synced passkeys trade some control for a lot of convenience. Device-bound passkeys do the opposite: less convenience, full certainty about where the key is.

For personal accounts, synced passkeys are usually the right call. For organizations, the question is sharper: which accounts can afford convenience, and which demand certainty? Microsoft's announcement means synced passkeys are now arriving in workplace sign-ins by default, and many IT teams have inherited an answer to that question without ever choosing it.

What the change involves in practice, how companies can prove what hardware holds their keys, and how attackers go around passkeys instead of through them: that is the subject of our next article.

Spear Innovations helps organizations deploy phishing-resistant, hardware-backed authentication. If you are deciding where passkeys fit in your security strategy, talk to us.

Next
Next

Implementing FIDO2 for Admins is a Tactical Move. Implementing FIDO2 for Everyone is Strategic