WORKFORCE
AUTHENTICATION
FIDO2 passwordless authentication
Passkeys are FIDO credentials stored on a computer, phone,
or hardware device tied to a user account. They allow you to
sign-in to a website or application without a password.
They come in two options:



Syncable passkeys
(AKA multi-device passkeys)
Best for:
Passwordless login for consumers
Seamless access across devices
ldeal for convenience-first user experiences
Examples:
Social media
eCommerce
SaaS apps

Device-bound
passkeys
Best for:
Workforce authentication
High-security or regulated environments
When cloud syncing is restricted or not desired
Examples:
Internal corporate systems
Banking apps
Privileged access
FIDO2
Syncable passkeys vs. device-bound passkeys
What's the difference?

Both are passwordless
& phishing-resistant

Both require a physical
presence for authentication
The key difference

Syncable
passkeys
Credentials can be synchronized across devices. After you set up your passkey on one device, a cloud service such as Apple iCloud or Google Password Manager shares it to your other devices.

Device-bound
passkeys
Credentials are restricted to one device, such as a Digipass FX7 security key.
Thus the term "device-bound" passkey or security key.
According to the Gartner®
Market Guide for User Authentication

There's a burgeoning interest
in multidevice passkeys
(FIDO2 credentials synced across devices),
especially for customer authentication


For workforce use cases,
device-bound passkeys, especially
when fully supported by AM vendors,
are positioned to become the
preferred option in the near term

Read the report
Gartner Market Guide for User Authentication, James Hoover, Ant Allan, 12 November 2024
GARTNER® is a registered trademark and service mark of Gartner, Inc. and/or its affiliates
in the U.S. and internationally and is used herein with permission. All rights reserved.
Pros
Syncable passkeys
Convenience:
Log in to your accounts from any
synced device without a password.
Easy recovery:
If you lose or replace your phone,
your passkeys can be restored
through your cloud provider.
Syncable passkeys are great
for password replacement.
Cloud-based access
across devices:
Syncable passkeys work across
platforms, enabling you to
authenticate securely on a phone,
tablet, or computer.

For enterprise use, this
raises security concerns

Cloud-based risks:
While syncable passkeys are
designed to be phishing-resistant,
there could be concerns about
potential breaches of cloud services
or device compromise.
Device-bound passkeys
Stronger security:
Private keys never leave the
device in clear text, reducing
exposure to phishing.
Convenience:
Connect the physical key using
USB-C, NFC, or Bluetooth. It
works on phones, laptops, and
tablets when the authenticator is
present.
Greater enterprise control:
Credentials stay on approved
devices only, giving IT teams full
control over where credentials are
stored and used – with no reliance
on personal cloud accounts.
Eliminates unmanaged
device risks:
You can’t accidentally sync
workplace credentials to
personal or unauthorized devices.
