Like or not, a replacement for passwords — known as passkeys — is coming your way, if it hasn’t already. The three big ideas behind passkeys are that they cannot be guessed in the way passwords often can (and are), the same passkey cannot be re-used across different websites and apps (the way passwords can), and you cannot be tricked into divulging your passkeys to malicious actors, often through techniques such as phishing, smishing, quishing, and malvertising.
Also: How passkeys work: The complete guide to your inevitable passwordless future
However, as noted in ZDNET’s 10 Passkey Survival tips, surviving the transition from passwords to passkeys will involve some advanced planning and even some advanced thinking. For example, for each passkey that you register with a website or app (see ‘How Passkeys work: Let’s start the passkey registration process’), you will have to decide if you want that passkey to be a syncable or non-syncable (a.k.a. ‘device-bound’) passkey.
So, what’s the difference between these passkeys, and why does it matter?
What is a syncable passkey, and why would you want one?
One of the things that makes passkeys more secure than passwords is that they’re so automagical that you, the end user, don’t even know what your passkeys are, or where exactly on your device they’re stored.
Like passwords, passkeys involve a secret. However, the secret is automatically generated and stored in a secure location, and the end user never comes into direct contact with the passkey in the way they do with passwords.
When the time comes to log in to a website or app (the operators of which are referred to as “relying parties”), the software on your device knows where to find that secret and how to use it to complete the login process without actually sharing the secret with the relying party (see What really happens during your passwordless passkey login).
Also: What if your passkey device is stolen? How to manage risk in our passwordless future
Compared to passwords, where you must furnish your secret to the relying party every time you log in, this one feature alone makes passkeys significantly more secure than passwords.
But, as cool and secure as passkey are, when the folks at the FIDO Alliance first came up with the idea of passkeys, they also knew that their concept would get rejected by the market unless there was a way for users to re-use each of their passkeys across their various devices like they do now with their user IDs and passwords.
For example, let’s say you use your desktop or notebook system to create a passkey for the relying party PayPal.com. As opposed to generating separate passkeys for PayPal for each of your other devices (your smartphone, your tablet, etc.), there should be a way to just reuse the first passkey you created for PayPal on other devices. And it should be automatic.
Once you create a passkey for a relying party using any of your devices, that passkey should be available for logging in to that relying party from any of your devices. In other words, it should be possible to synchronize your passkeys across your devices in a way that, for each relying party, you only have to depend on one passkey to log in, regardless of which device you’re logging in from.
This type of passkey, one that can be synchronized across and securely stored on each of your devices, is called a syncable passkey.
In the grand majority of current passkey management implementations, this automagical syncing is supported by one of several cloud-based services that act as synchronization hubs. These hubs are operated by solution providers, such as Google, Apple, 1Password, BitWarden, LastPass, and others, that are also involved in password management.
For example, in Apple’s case, its iCloud Keychain handles the secure storage and synchronization of user IDs, passwords, passkeys, and other sensitive personal information, such as credit card numbers, across your Apple devices. The Google equivalent of iCloud Keychain is built into Google Password Manager, which is itself built into Chrome.
Also: How to set up and use passkeys across your iPhone, iPad, and Mac
This is where users and organizations who are interested in the convenience of syncable credentials must carefully consider which solution to rely on. For example, whereas iCloud Keychain only supports Apple operating systems and devices, Google Password Manager is available on any operating system and device that has Chrome installed. To whit, my colleague Lance Whitney recently published an article that explains how to use Chrome to sync passkeys across your PC, Mac, iPhone, or Android.
At the time this article was written, Microsoft’s Edge cross-platform web browser (available on Windows, MacOS, iOS, Android, and Linux) also relies on a Microsoft-operated cloud-based hub for cross-device user ID and password synchronization. However, passkeys were not yet among the supported synchronizable credential types. In fact, syncable passkeys are yet to be supported by any of Microsoft’s identity-related solutions. But it’s safe to assume that this approach will change soon, given the degree to which Microsoft is one of the biggest proponents, if not the biggest proponent, of passkeys.
Meanwhile, the cottage industry of password managers involves a variety of synchronizable offerings that compete on their support for multiple operating systems and multiple web browsers (for example, Chrome only works with Chrome, Edge only works with Edge) while typically offering a range of useful, interesting, and frill-like features.
<!–>
Some of these offerings cater more to businesses than others, at which point you start to cross over into the territory of the industrial-strength vendors, such as Okta, that support passkey synchronization as part of a broader set of identity management solutions. Once Microsoft starts to support synchronizable passkeys, it’s a safe bet that that support will also appear in Microsoft’s competitor to Okta, known as Entra ID (formerly Azure Active Directory).
Also: Microsoft Authenticator won’t manage your passwords anymore – or most passkeys
Whereas syncable passkeys are extremely convenient, they’re also unnerving to people who see the associated centralized synchronization hubs as obvious targets for hackers to exploit. The operators of the various hubs like to talk about how all that incredibly sensitive data is beyond the reach of hackers due to encryption. But for users who want an added layer of security for some or all of their passkeys, the main alternative to syncable passkeys is non-syncable or “device-bound” passkeys.
What is a device-bound (non-syncable) passkey, and why would you want one?
In contrast to a syncable passkey, a device-bound passkey can never be disembodied from the hardware used to create it. For example, all modern personal computing devices (computers, smartphones, tablets, etc.) are built with uniquely coded security hardware. It’s almost like the uniqueness of a serial number, with the difference being that the unique coding is burned into the device’s special-purpose hardware (usually a Trusted Platform Module or secure enclave).
Once a device-bound passkey is created with the support of such uniquely coded hardware, that exact hardware must also be present for the passkey to work as a login credential. If you create a device-bound passkey with your Mac, it only works with that Mac. With a PC, it only works with that PC. With an iPhone? You get the picture.
Also: I replaced my Microsoft account password with a passkey – and you should, too
Although syncable passkeys must survive a stringent test, as described in this step-by-step walkthrough of what happens behind the scenes during a passkey authentication ceremony, a device-bound passkey raises the barrier to authentication. This approach assures you that, unless someone possesses both your passkey and the device that created it, and they have the biometric or PIN code to activate your security hardware, there is zero chance that someone other than you can use that passkey to log in to the relying party it’s associated with.
This approach differs from a syncable passkey, which still works as intended, even when it is presented to a relying party from a system other than the one used to create it. This is not to say that syncable passkeys are somehow insecure and that they’re easy for a threat actor to steal and use from a rogue system (or even your own device, if that device is stolen). However, it could be argued that, relatively speaking, they are less secure than device-bound passkeys. But they are also significantly less convenient.
The roaming device-bound passkey: The best of both worlds?
Just because you need special hardware to create a device-bound passkey doesn’t mean that that hardware must come in the form of a computing device with a TPM or secure enclave. Hardware could come in the form of a pocket-sized secure FIDO Alliance-compliant device that can be temporarily connected to your computer, smartphone, tablet, gaming console, and more.
These devices come in a variety of form factors, including USB keys and credit cards, and, when needed, can be connected to your device in several ways, including physical insertion or wirelessly via Near Field Communication (NFC) technology. Yubico’s YubiKey 5C NFC–>, pictured in my palm below, is a good example of this technology. This device can be connected to your computer, smartphone, and more via USB-C or NFC.
Yubico’s USB-C-based YubiKey 5C NFC is a roaming authenticator that supports device-bound passkeys.
David Berlind/ZDNET
These devices, more commonly referred to as roaming authenticators, include security hardware and cryptographic capabilities similar to those of TPMs and secure enclaves and, as such, can be used to create and securely store your various passkeys for the different relying parties that you rely on.
Like all device-bound passkeys, when a passkey is created and stored on a roaming authenticator, it cannot be copied or synchronized to another device. When the time comes to authenticate with relying parties, you insert the device into the appropriate port (or connect wirelessly via NFC, similar to the way you tap a credit card terminal with your credit card) and supply a user-defined PIN code to authorize access to the appropriate passkey (for a given relying party).
Also: The best security keys of 2025: Expert tested
The big benefit of this approach is that the roaming authenticator and any device-bound passkeys stored on it can roam from device to device. For example, if you’ve saved your PayPal passkey on a YubiKey, you can use that passkey to log in to PayPal from your desktop computer, and then, at some other time, you can roam your YubiKey to your smartphone and log in to PayPal with that same passkey.
In this way, it’s a tiny bit like syncing your PayPal passkey to both devices, because they both rely on the same passkey. However, unlike syncable passkeys, passkeys on roaming authenticators are never synchronized through a cloud, nor are they stored anywhere but on the original roaming authenticator that was used to create them. You just move them from device to device on an as-needed basis.
As a matter of personal choice, almost all of my passkeys are syncable passkeys. However, there are two or three highly sensitive passkeys – including the passkey to my password manager – that I keep on my roaming authenticator. I personally feel safer knowing the only way someone can log in to my password manager (where the majority of my passwords can be found) is if they possess my YubiKey and know my secret PIN to unlock it.
Also: Passkeys won’t be ready for primetime until Google and other companies fix this
That said, roaming authenticators for some or all of your device-bound passkeys may not be a fit for everyone.
For starters, if any of your device-bound passkeys are required to authenticate with certain relying parties – in other words, there’s no way to log in without the passkey that’s stored on your roaming authenticator – your credential management strategy should include an additional one or two roaming authenticators as backups in case you lose your primary roamer.
For each passkey you keep on your primary roamer, you should register additional backup passkeys that get stored on each of your backup roamers (see my primer on how that enrollment process works). Since we’re talking about device-bound passkeys, there’s no way to copy a device-bound passkey from one roaming authenticator to another. When backing up passkeys using backup roaming authenticators, the only choice is to create new, unique device-bound passkeys for each one.
Another barrier to roaming authenticators is cost. For example, the least expensive option in Yubico’s lineup of Yubikeys is $50. Google’s Titan starts at $30. In contrast to syncable passkeys, where you have free options, such as Google Password Manager, iCloud Keychain, and the personal edition of BitWarden, owning a minimum of two roaming authenticators for backup purposes involves costs that some people might not be willing to bear.
Also, it’s not like you can move to a roaming authenticator as a total replacement for another credential/password management solution. While most roaming authenticators can handle device-bound passkeys, they are incapable of managing user IDs and passwords for the websites and apps that don’t yet offer a passkey option for authentication.
Stay ahead of security news with Tech Today, delivered to your inbox every morning.
–>
