Device-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey Authentication

Andre Büttner; Nils Gruschka

doi:10.5220/0013380600003899

Device-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey Authentication

Andre Büttner, Nils Gruschka

2025

Abstract

With passkeys, the FIDO Alliance introduces the ability to sync FIDO2 credentials across a user’s devices through passkey providers. This aims to mitigate user concerns about losing their devices and promotes the shift toward password-less authentication. As a consequence, many major online services have adopted passkeys. However, credential syncing has also created a debate among experts about their security guarantees. In this paper, we categorize the different access levels of passkeys to show how syncing credentials impacts their security and availability. Moreover, we use the established framework from Bonneau et al.’s Quest to Replace Passwords and apply it to different types of device-bound and synced passkeys. By this, we reveal relevant differences, particularly in their usability and security, and show that the security of synced passkeys is mainly concentrated in the passkey provider. We further provide practical recommendations for end users, passkey providers, and relying parties.

Download

Paper Citation

in Harvard Style

Büttner A. and Gruschka N. (2025). Device-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey Authentication. In Proceedings of the 11th International Conference on Information Systems Security and Privacy - Volume 2: ICISSP; ISBN 978-989-758-735-1, SciTePress, pages 651-659. DOI: 10.5220/0013380600003899

in Bibtex Style

@conference{icissp25,
author={Andre Büttner and Nils Gruschka},
title={Device-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey Authentication},
booktitle={Proceedings of the 11th International Conference on Information Systems Security and Privacy - Volume 2: ICISSP},
year={2025},
pages={651-659},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0013380600003899},
isbn={978-989-758-735-1},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 11th International Conference on Information Systems Security and Privacy - Volume 2: ICISSP
TI - Device-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey Authentication
SN - 978-989-758-735-1
AU - Büttner A.
AU - Gruschka N.
PY - 2025
SP - 651
EP - 659
DO - 10.5220/0013380600003899
PB - SciTePress