WORKFORCE
AUTHENTICATION

FIDO2 passwordless authentication

Passkeys are FIDO credentials stored on a computer, phone,
or hardware device tied to a user account. They allow you to
sign-in to a website or application without a password.

They come in two options:

Syncable passkeys
(AKA multi-device passkeys)

Best for:

• Passwordless login for consumers 

• Seamless access across devices

• ldeal for convenience-first user experiences

Examples:

• Social media

• eCommerce

• SaaS apps

Device-bound
passkeys

Best for:

• Workforce authentication

• High-security or regulated environments

• When cloud syncing is restricted or not desired

Examples:

• Internal corporate systems

• Banking apps

• Privileged access

FIDO2

Syncable passkeys vs. device-bound passkeys
What's the difference?

Both are passwordless
& phishing-resistant

Both require a physical
presence for authentication

The key difference

Syncable
passkeys

Credentials can be synchronized across devices. After you set up your passkey on one device, a cloud service such as Apple iCloud or Google Password Manager shares it to your other devices.

Device-bound
passkeys

Credentials are restricted to one device, such as a Digipass FX7 security key.

Thus the term "device-bound" passkey or security key.

According to the Gartner®
Market Guide for User Authentication

There's a burgeoning interest
in multidevice passkeys
(FIDO2 credentials synced across devices),
especially for customer authentication

For workforce use cases,
device-bound passkeys, especially
when fully supported by AM vendors,
are positioned to become the
preferred option in the near term

Read the report

Gartner Market Guide for User Authentication, James Hoover, Ant Allan, 12 November 2024
GARTNER® is a registered trademark and service mark of Gartner, Inc. and/or its affiliates
in the U.S. and internationally and is used herein with permission. All rights reserved.

Pros

Syncable passkeys

Convenience:
Log in to your accounts from any
synced device without a password.

Easy recovery:
If you lose or replace your phone,
your passkeys can be restored
through your cloud provider.
Syncable passkeys are great
for password replacement.

Cloud-based access
across devices:
Syncable passkeys work across
platforms, enabling you to
authenticate securely on a phone,
tablet, or computer.

For enterprise use, this
raises security concerns

Cloud-based risks:
While syncable passkeys are
designed to be phishing-resistant,
there could be concerns about
potential breaches of cloud services
or device compromise.

Device-bound passkeys

Stronger security:
Private keys never leave the
device in clear text, reducing
exposure to phishing.

Convenience:
Connect the physical key using
USB-C, NFC, or Bluetooth. It
works on phones, laptops, and
tablets when the authenticator is
present.

Greater enterprise control:
Credentials stay on approved
devices only, giving IT teams full
control over where credentials are
stored and used – with no reliance
on personal cloud accounts.

Eliminates unmanaged
device risks:
You can’t accidentally sync
workplace credentials to
personal or unauthorized devices.

Learn more about securing your workforce
with device-bound passkeys

Read the blog