WORKFORCE
AUTHENTICATION

FIDO2 passwordless authentication

Passkeys are FIDO credentials stored on a computer, phone,
or hardware device tied to a user account. They allow you to
sign-in to a website or application without a password.

They come in two options:

Right divider
Left divider
Syncable passkeys

Syncable passkeys
(AKA multi-device passkeys)

Best for:

  • Passwordless login for consumers 

  • Seamless access across devices

  • ldeal for convenience-first user experiences

Examples:

  • Social media

  • eCommerce

  • SaaS apps

Device-bound passkeys

Device-bound
passkeys

Best for:

  • Workforce authentication

  • High-security or regulated environments

  • When cloud syncing is restricted or not desired

Examples:

  • Internal corporate systems

  • Banking apps

  • Privileged access

FIDO2

Syncable passkeys vs. device-bound passkeys
What's the difference?

checkmark

Both are passwordless
& phishing-resistant

checkmark

Both require a physical
presence for authentication

The key difference

Syncable passkeys

Syncable
passkeys

Credentials can be synchronized across devices. After you set up your passkey on one device, a cloud service such as Apple iCloud or Google Password Manager shares it to your other devices.

Device-bound passkeys

Device-bound
passkeys

Credentials are restricted to one device, such as a Digipass FX7 security key.

Thus the term "device-bound" passkey or security key.

According to the Gartner®
Market Guide for User Authentication

quote mark

There's a burgeoning interest
in multidevice passkeys
(FIDO2 credentials synced across devices),
especially for customer authentication

quote mark
quote mark

For workforce use cases,
device-bound passkeys, especially
when fully supported by AM vendors,
are positioned to become the
preferred option in the near term

quote mark

Read the report

Gartner Market Guide for User Authentication, James Hoover, Ant Allan, 12 November 2024
GARTNER® is a registered trademark and service mark of Gartner, Inc. and/or its affiliates
in the U.S. and internationally and is used herein with permission. All rights reserved.

Pros

Syncable passkeys

Convenience:
Log in to your accounts from any
synced device without a password.

Easy recovery:
If you lose or replace your phone,
your passkeys can be restored
through your cloud provider.
Syncable passkeys are great
for password replacement.

Cloud-based access
across devices:
Syncable passkeys work across
platforms, enabling you to
authenticate securely on a phone,
tablet, or computer.

arrow down

For enterprise use, this
raises security concerns

arrow down

Cloud-based risks:
While syncable passkeys are
designed to be phishing-resistant,
there could be concerns about
potential breaches of cloud services
or device compromise.

Device-bound passkeys

Stronger security:
Private keys never leave the
device in clear text, reducing
exposure to phishing.

Convenience:
Connect the physical key using
USB-C, NFC, or Bluetooth. It
works on phones, laptops, and
tablets when the authenticator is
present.

Greater enterprise control:
Credentials stay on approved
devices only, giving IT teams full
control over where credentials are
stored and used – with no reliance
on personal cloud accounts.

Eliminates unmanaged
device risks:
You can’t accidentally sync
workplace credentials to
personal or unauthorized devices.

bracket device

Learn more about securing your workforce
with device-bound passkeys

Read the blog