WORKFORCE
AUTHENTICATION

FIDO2 passwordless authentication

Passkeys are FIDO credentials stored on a computer, phone,
or hardware device tied to a user account. They allow you to
sign-in to a website or application without a password.

They come in two options:

Syncable passkeys
(AKA multi-device passkeys)

Best for:

• Passwordless login for consumers 

• Seamless access across devices

• ldeal for convenience-first user experiences

Examples:

• Social media

• eCommerce

• SaaS apps

Device-bound
passkeys

Best for:

• Workforce authentication

• High-security or regulated environments

• When cloud syncing is restricted or not desired

Examples:

• Internal corporate systems

• Banking apps

• Privileged access

FIDO2

Syncable passkeys vs. device-bound passkeys
What's the difference?

Both are passwordless
& phishing-resistant

Both require a physical
presence for authentication

The key difference

Syncable
passkeys

Credentials can be synchronized across devices. After you set up your passkey on one device, a cloud service such as Apple iCloud or Google Password Manager shares it to your other devices.

Device-bound
passkeys

Credentials are restricted to one device, such as a Digipass FX7 security key.

Thus the term "device-bound" passkey or security key.

According to the Gartner®
Market Guide for User Authentication

There's a burgeoning interest
in multidevice passkeys
(FIDO2 credentials synced across devices),
especially for customer authentication

For workforce use cases,
device-bound passkeys, especially
when fully supported by AM vendors,
are positioned to become the
preferred option in the near term

Pros

Syncable passkeys

Convenience:
Log in to your accounts from any
synced device without a password.

Easy recovery:
If you lose or replace your phone,
your passkeys can be restored
through your cloud provider.
Syncable passkeys are great
for password replacement.

Cloud-based access
across devices:
Syncable passkeys work across
platforms, enabling you to
authenticate securely on a phone,
tablet, or computer.

For enterprise use, this
raises security concerns

Cloud-based risks:
While syncable passkeys are
designed to be phishing-resistant,
there could be concerns about
potential breaches of cloud services
or device compromise.

Device-bound passkeys

Stronger security:
Private keys never leave the
device in clear text, reducing
exposure to phishing.

Convenience:
Connect the physical key using
USB-C, NFC, or Bluetooth. It
works on phones, laptops, and
tablets when the authenticator is
present.

Greater enterprise control:
Credentials stay on approved
devices only, giving IT teams full
control over where credentials are
stored and used – with no reliance
on personal cloud accounts.

Eliminates unmanaged
device risks:
You can’t accidentally sync
workplace credentials to
personal or unauthorized devices.

Learn more about securing your workforce
with device-bound passkeys

Read the blog