The defining characteristic of these passkeys is that they to the cloud. To sign in on a new machine, you cannot simply log into an account to "pull" the passkey; you must physically present the device—often by plugging it in or tapping it via NFC—to the new hardware. Device-Bound vs. Synced Passkeys
When a user registers a hardware key with a website, they are creating a device-bound passkey. To log in, the user must physically tap the key, proving their physical presence. This combines two factors: possession (the key) and presence (the tap). Even if a remote hacker has compromised the user’s computer completely, they cannot simulate the physical tap required to activate the passkey stored on the USB or NFC device. device-bound passkeys
While the digital world has largely moved toward for convenience, device-bound passkeys remain the "gold standard" for high-security environments. Unlike standard passwords that can be guessed or phished, device-bound passkeys are cryptographic credentials physically locked to a specific piece of hardware, ensuring that your digital identity cannot be separated from your physical device. What Are Device-Bound Passkeys? The defining characteristic of these passkeys is that
Then came standard . These are great—they sync across your phone, tablet, and laptop via the cloud (like iCloud or Google Password Manager). They are convenient, but for high-stakes environments like banks or government agencies, "convenience" can be a vulnerability. If your cloud account is hacked, every passkey synced to it might be at risk. The Hero: The Device-Bound Passkey Synced Passkeys When a user registers a hardware
In the current consumer ecosystem, most passkeys introduced by tech giants are "synced." If you create a passkey on your iPhone, it is encrypted and synced to your iPad and Mac via iCloud. This provides a seamless user experience and prevents lockout if you lose your phone.