Passkey Types
The term passkey is used for any passwordless FIDO credential. Generally speaking, there are two types of passkeys:
Passkeys can be synced or device bound.
- Synced passkey: stored securely in a credential manager and accessed across devices (mobile phones, tablets, and computers)
- Device-bound passkey: bound to and used only on a single device (a security key)
Synced passkeys are made for planet-scale adoption with billions of users. Users can leverage a password or credential manager (for example, Apple Passwords, Google Password Manager, 1Password, or Dashlane) to access and sync passkeys across their computing devices. With synced passkeys users can sign in on many of their devices, even new ones, without having to re-enroll every device on every account because the passkeys sync to the devices and browsers on which the password or credential manager is present.
Device-bound passkeys are FIDO authentication credentials that stay on the device they were issued to (typically, security key) and do not sync elsewhere. To sign to an online service with a device-bound passkey, the user plugs-in or taps the security key to the new device.
Synced passkeys
Synced passkeys passkeys are synced between a user's various devices. The passkeys are stored securely with a password or credential manager such as Apple Passwords, Google Password Manager, 1Password, Dashlane or LastPass. Users can access synced passkeys across many of their devices, even new ones, without having to re-enroll every device on every account.
To sync passkeys to other devices, Windows users can install a browser extension, from their chosen credential manager, or use the browser’s built-in credential manager (for example, Google Password Manager in Chrome on Windows). If the user does not use a credential manager in their browser, they default to the built-in credential manager from Window. On Windows 10, the built-in credential manager creates a device-bound passkey. Windows 11 recently announced the ability to install password managers (also known as credential providers) which sync passkeys in their blog post Passkeys on Windows: Authenticate seamlessly with passkey providers.
Device-bound passkeys
Device-bound passkeys, sometimes referred to as single-device passkeys, are stored on and accessed with an external hardware device, known as a security key. These passkeys are FIDO authentication credentials that cannot leave the issued device. These passkeys are bound to a FIDO security key or platform and cannot be synced across devices. A physical security key or device can store multiple single-device passkeys.
The default credential manager on Windows creates a passkey which is device-bound to the Windows machine. Refer to the note in Synced passkeys for more information.
Credential managers
Credential managers are responsible for the storage and syncing of passkeys. Most operating systems include a credential manager. People can also install third party credential managers that store passkeys, passwords, and other items.
You might see credential managers referred to by different names, including password managers (for example, Apple Passwords and Google Password Manager) since they manage both passwords and passkeys.
The following table lists a few examples of credential managers that support passkeys.
Credential manager | Included with the operating system | Third party add-on |
---|---|---|
1Password | - | Yes |
Apple Passwords | Yes | - |
BitWarden | - | Yes |
Dashlane | - | Yes |
Google Password Manager | Yes | - |
Keeper | - | Yes |
LastPass | - | Yes |
Cross-device authentication
Cross-device authentication allows people to sign in on a device (for example, laptop, desktop, or mobile) that does not have a passkey using a second device that does (for example, a mobile device). Refer to Cross-device sign-in for more information.