Device-bound passkeys: Bolstering workforce authentication

As password-related frustration and cyber threats mount, many organizations have already implemented passwordless authentication – namely, ​​passkeys. This secure, user-friendly alternative bolsters security while creating a user-friendly experience.

Passkeys are FIDO credentials stored on a computer, phone, or dedicated hardware device tied to a user account and website or application. They allow users to authenticate to web services and applications without the hassle of remembering a username and password, replacing the traditional sign-on experience.

Passkeys use public-key cryptography. A private key is securely stored on a user’s device, while the corresponding public key is registered with an online service. When a user attempts to sign in, their device uses the private key to generate a secure cryptographic signature, which is verified using the public key. Since the server has no access to the clear text private key, it remains safe even if the public key is exposed.

Think of your public key as a locked door, and the private key is the only way to unlock it. Even if someone steals the public key, it won’t work without the private key. And that key is safely stored on your associated device.

An important benefit of passkeys is their phishing-resistant functionality. Without a password to steal, and with logins occurring securely through your device, they keep potential threat actors at bay.

The two types of passkeys: Syncable vs. device-bound passkeys

Not all passkeys are created equal, and different types offer different levels of protection. The two main types—syncable and device-bound passkeys—each have qualities that impact security, usability, and control.

• Syncable passkeys: Users can store and synchronize private keys across devices via the cloud.
• Device-bound passkeys: Credentials are linked to a specific device or authenticator.

For workforce authentication, device-bound passkeys offer stronger security and better enterprise control. Working with this type of passkey is the best way for organizations to protect sensitive systems and data.

Syncable passkeys provide convenience at a cost

Syncable passkeys, managed through cloud services such as Apple iCloud or Google Password Manager, allow users to access their credentials across multiple devices. After a user sets up their passkey on one device, it is securely backed up and made available across all their devices that are linked to the same account.

This setup is highly convenient and still secure—since private keys remain encrypted and require biometric authentication or a trusted device check to be used. However, enterprises may face challenges in managing these credentials.

Risks of syncable passkeys

1. 1. Enterprise control — A significant downside of syncable passkeys is the lack of centralized control over credential storage and security. Since these passkeys are synchronized across personal cloud accounts (e.g., Apple iCloud Keychain, Google Password Manager, Microsoft Authenticator), IT administrators cannot enforce strict policies on where and how credentials are stored. This creates security risks, as employees might inadvertently sync work-related passkeys to personal devices, which could be shared or compromised. Additionally, if an attacker gains access to a user’s cloud account, they could potentially sync passkeys to their own device, bypassing traditional enterprise security controls. Syncable passkeys hence introduce a risk of unauthorized access that may be hard to mitigate without advanced endpoint management tools.
2. 2. Policy enforcement – Restricting where passkeys can be stored requires mobile device management (MDM) or endpoint management tools, which add complexity and cost. Some employees may also be reluctant to install enterprise security controls on personal devices, creating gaps in security enforcement.

The risks associated with syncable passkeys mean organizations may look to alternatives for secure authentication. Device-bound passkeys, meanwhile, offer an even better experience.

Device-bound passkeys: The gold standard for workforce authentication

In contrast to syncable passkeys, with device-bound passkeys, credentials can only be used with the device on which they were created and do not sync to multiple devices. This binding storage ensures keys cannot be transferred, exported, or accessed from unauthorized endpoints.

The Gartner® Market Guide for User Authentication states “[Identity and access management (IAM)] leaders will seek passwordless authentication methods, with FIDO2 methods dominating within the next three years. There’s burgeoning interest in multidevice passkeys (FIDO2 credentials synced across devices), especially for customer authentication. For workforce use cases, device-bound passkeys, especially when fully supported by AM vendors, are positioned to become the preferred option in the near term.”

Analyst report

Gartner® Market Guide for User Authentication

Learn why Gartner recommends IAM leaders seek toolsets that minimize account takeover risks and optimize the user experience. 

Download now

So what makes device-bound passkeys a smarter choice for workforce authentication? It comes down to three tenets.

Benefits of device-bound passkeys

1. 1. Stronger security — These passkeys eliminate the risk of credential threats from cloud breaches. With device-bound passkeys, private keys never leave the device in clear text, reducing exposure to phishing and preserving possession.
2. 2. Better enterprise control — Because these passkeys can only be used on one, organization-approved device, IT teams have full control over authentication and can better enforce policies that prevent passkey duplication across personal devices.
3. 3. Eliminates unmanaged device risks — With device-bound passkeys, employees can’t accidentally sync their workplace credentials to personal or unauthorized devices. This reduces potential attack surfaces and keeps authentication local to every device.

While syncable and device-bound passkeys both enhance security compared to traditional passwords, organizations must weigh security against usability when choosing an authentication strategy. Syncable passkeys are best for consumer convenience, while device-bound passkeys like OneSpan's DIGIPASS FX security keys provide higher security and enterprise control, making them the gold standard for workforce authentication.

This combination of security, control, and ideal user experience ensures better authentication for your organization—while eliminating cloud-based risk.

Device-bound passkeys better secure your business

Passkeys, on the whole, provide a more secure and seamless experience for organizations looking to protect their data than passwords. Though syncable passkeys offer convenience, organizations cannot afford to overlook the inherent risks they present. Device-bound passkeys provide phishing resistance and enterprise control that make them entirely worth the investment.

Leveraging FIDO2 hardware security keys, businesses can ensure secure, device-bound authentication that prevents phishing attacks and unauthorized credential access—protecting both the workforce and sensitive company data and information.

Demo

DIGIPASS FX solutions

Interested in learning more about implementing phishing-resistant, device-bound passkeys? Book a DIGIPASS FX demo today.

Book a demo

Gartner, Market Guide for User Authentication, James Hoover, Ant Allan, 12 November 2024
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.