WORKFORCE
AUTHENTICATION
FIDO2 passwordless authentication
Passkeys are FIDO credentials stored on a computer, phone,
or hardware device tied to a user account. They allow you to
sign-in to a website or application without a password.
They come in two options:



Syncable passkeys
(AKA multi-device passkeys)
Best for:
Passwordless login for consumers
Seamless access across devices
ldeal for convenience-first user experiences
Examples:
Social media
eCommerce
SaaS apps

Device-bound
passkeys
Best for:
Workforce authentication
High-security or regulated environments
When cloud syncing is restricted or not desired
Examples:
Internal corporate systems
Banking apps
Privileged access
FIDO2
Syncable passkeys vs. device-bound passkeys
What's the difference?

Both are passwordless
& phishing-resistant

Both require a physical
presence for authentication
The key difference

Syncable
passkeys
Credentials can be synchronized across devices. After you set up your passkey on one device, a cloud service such as Apple iCloud or Google Password Manager shares it to your other devices.

Device-bound
passkeys
Credentials are restricted to one device, such as a Digipass FX7 security key.
Thus the term "device-bound" passkey or security key.
According to the Gartner®
Market Guide for User Authentication

There's a burgeoning interest
in multidevice passkeys
(FIDO2 credentials synced across devices),
especially for customer authentication


For workforce use cases,
device-bound passkeys, especially
when fully supported by AM vendors,
are positioned to become the
preferred option in the near term



Pros
Syncable passkeys
Convenience:
Log in to your accounts from any
synced device without a password.
Easy recovery:
If you lose or replace your phone,
your passkeys can be restored
through your cloud provider.
Syncable passkeys are great
for password replacement.
Cloud-based access
across devices:
Syncable passkeys work across
platforms, enabling you to
authenticate securely on a phone,
tablet, or computer.

For enterprise use, this
raises security concerns

Cloud-based risks:
While syncable passkeys are
designed to be phishing-resistant,
there could be concerns about
potential breaches of cloud services
or device compromise.
Device-bound passkeys
Stronger security:
Private keys never leave the
device in clear text, reducing
exposure to phishing.
Convenience:
Connect the physical key using
USB-C, NFC, or Bluetooth. It
works on phones, laptops, and
tablets when the authenticator is
present.
Greater enterprise control:
Credentials stay on approved
devices only, giving IT teams full
control over where credentials are
stored and used – with no reliance
on personal cloud accounts.
Eliminates unmanaged
device risks:
You can’t accidentally sync
workplace credentials to
personal or unauthorized devices.
