What Are Passkeys and Security Keys?
In 2021, Colonial Pipeline traced a ransomware incident back to a compromised VPN password, and the company paid roughly $4.4 million in ransom, according to a DOJ release. That is the operational reality of credential-based initial access: attackers do not need zero-days when they can phish, reuse, or run credential stuffing against password-based authentication.
Both passkeys and physical security keys exist to close that gap. They use the same cryptographic foundation, but the distinction in how they store and manage credentials matters when you are protecting an enterprise.
A passkey is a FIDO authentication credential that replaces passwords with cryptographic key pairs. According to the FIDO Alliance, passkeys let users sign in to apps and websites using the same process they use to unlock their device: biometrics, a PIN, or a pattern. Passkeys come in two forms:
- Synced passkeys store credentials in a cloud-backed credential manager and synchronize them across your devices.
- Device-bound passkeys lock the private key to a single device. It never leaves that hardware.
In practice, the storage model is what drives most of your enterprise trade-offs.
A hardware security key (also called a roaming authenticator) is an external hardware device that communicates with browsers and operating systems over USB, NFC, or Bluetooth using the FIDO2 CTAP (Client-to-Authenticator Protocol). Think YubiKeys, smartcards, and similar tokens. These are, by definition, device-bound: the private key is stored in a hardware security module and cannot be exported or copied.
Both technologies share the same cryptographic foundation. Every credential is unique, bound to a specific service domain, and built on standard public key cryptography. Biometric data never leaves your device. The server only stores the public key. That shared design is what makes both options relevant to the same core security problem.
How Passkeys and Security Keys Relate to Cybersecurity
The 2025 Verizon DBIR reports that credential abuse drives a major share of initial access: 22% of breaches involve credential abuse as the initial access method, per the Verizon DBIR. That tracks with what you see in the field: once an attacker has valid credentials, you are fighting your own access paths.
Both passkeys and security keys are phishing resistant by design. As the WebAuthn spec defines, each authentication assertion is scoped to a specific website domain, so a credential-phishing site on a different domain cannot obtain a valid assertion. This stops credential phishing, credential stuffing, and adversary-in-the-middle attacks at the protocol level, which is why you see agencies and regulated sectors pushing toward phishing-resistant MFA.
This is why OMB M-22-09 now mandates that federal agencies use only phishing-resistant authentication. The question for your organization is not whether to adopt FIDO2 authentication. It is which implementation model fits your risk profile. The table below puts the key differences side by side.
Passkey vs. Security Key at a Glance
| Feature | Passkey (Synced) | Physical Security Key |
| Credential Storage | Cloud credential manager (Apple Keychain, Google Password Manager) | Hardware security module on physical token |
| Key Exportability | Synchronized across devices via cloud fabric | Non-exportable; locked to hardware |
| NIST Assurance Level | AAL2 | AAL3 |
| Phishing Resistance | Yes (FIDO2 domain binding) | Yes (FIDO2 domain binding) |
| Device Attestation | Not supported (cloud sync breaks chain-of-trust) | Supported (hardware-embedded manufacturer certificate) |
| Recovery Model | Cloud account recovery through provider | Physical backup key or admin-mediated re-enrollment |
| User Experience | Transparent, works across synced devices | Requires physical token at each login |
| Hardware Cost | None (software-based) | Per-user token purchase and lifecycle management |
| Cross-Platform Support | Provider ecosystem dependent | Universal (USB, NFC, BLE on any FIDO2 platform) |
| Best Fit | General workforce, BYOD environments | Privileged admins, regulated industries, AAL3 compliance |
The protocol stack, storage model, and attestation support behind each option shape your assurance level. Here is how those components break down.
How FIDO2 Authentication Works Under the Hood
Both passkeys and security keys rely on the same FIDO2 protocol stack, but they diverge in how they store, protect, and manage the underlying cryptographic material. Understanding these components helps you match the right credential type to the right risk level.
FIDO2 Protocol Stack
FIDO2 consists of two core components defined by the FIDO specs:
- W3C Web Authentication (WebAuthn): The browser API that enables FIDO authentication on websites and applications.
- Client-to-Authenticator Protocol (CTAP): The protocol allowing external authenticators to communicate with FIDO2-enabled browsers and operating systems.
These two layers are what give you origin binding and the cryptographic proof that makes strong, phishing-resistant sign-in possible.
Credential Storage Architecture
The storage model is the defining difference between passkeys and security keys. Each approach handles the private key differently:
- Hardware security keys store private keys in dedicated hardware security modules (HSM), often using a Trusted Platform Module (TPM) chip. According to Microsoft Entra docs, the key material is non-exportable. You cannot copy it, back it up, or synchronize it.
- Synced passkeys use an operating system or third-party synchronization fabric to replicate cryptographic keys across devices. The FIDO Alliance enterprise deployment guide notes this creates a dependency on the passkey provider's synchronization fabric and their security controls.
That storage distinction drives every downstream decision around attestation, compliance, and recovery.
Attestation
Device attestation is a technique built into FIDO and WebAuthn protocols that enables the authenticator to cryptographically verify the chain of trust from the device's manufacturer. According to the FIDO Alliance attestation white paper, this requires a hardware-embedded manufacturer certificate in the authenticator's secure element.
Synced passkeys cannot provide device provenance because cloud synchronization breaks this cryptographic chain. If you enforce attestation in your identity platform, only device-bound credentials qualify.
Compliance Alignment
NIST SP 800-63B-4 draws a clear line. AAL2 requires phishing-resistant authentication, and both synced passkeys and security keys can qualify. AAL3 requires a non-exportable authentication key, which rules out synced passkeys entirely.
Those components map directly to what happens during sign-in and where the two credential types behave differently.
Registration, Authentication, and Where the Two Diverge
The authentication flow for passkeys and security keys follows the same FIDO2 pattern. The difference shows up in how each handles credential storage, portability, and recovery behind the scenes.
Registration (Both Methods)
During enrollment, the authenticator generates a unique public/private key pair bound to the service's domain. The private key stays on the authenticator, and the server stores only the public key.
Authentication (Both Methods)
- The server sends a cryptographic challenge.
- You perform local verification: a fingerprint scan, face unlock, PIN, or a physical button press.
- The authenticator signs the challenge with the private key.
- The server validates the signature using the stored public key.
That shared flow is why both approaches shut down phishing attacks at the protocol level.
Portability
With a physical security key, you carry one token that authenticates across unlimited devices. Plug it into any FIDO2-compatible browser or tap it via NFC, and you are in.
With synced passkeys, your credentials replicate automatically across devices within your provider's ecosystem: Apple, Google, or a third-party manager. You authenticate on your laptop, and the same passkey works on your phone without carrying anything extra. Cross-ecosystem portability remains inconsistent, though. A flow that works on Chrome/Windows may behave differently on Safari/macOS, and browser-level UX gaps remain an ongoing friction point for enterprise deployments.
Security boundaries
For device-bound credentials, an attacker needs your credentials, physical access to the hardware token, and the ability to bypass local authentication.
For synced credentials, the security boundary shifts to your cloud provider. If an attacker compromises the cloud account through social engineering or provider reset manipulation, they can synchronize credentials to an attacker-controlled device.
That boundary shift is where operational planning comes in. Both credential types carry trade-offs you need to account for before enterprise enforcement, and those trade-offs only matter if the platforms, browsers, and identity providers you rely on actually support the credential type you choose.
Where Passkeys and Security Keys Are Supported Today
As of 2025, passkey and security key adoption has reached a practical tipping point across consumer and enterprise ecosystems.
- Operating systems and browsers. Apple (iOS 16+, macOS Ventura+), Google (Android 9+), and Microsoft (Windows 10/11 via Windows Hello) all support passkey creation and authentication natively. Every major browser, including Chrome, Safari, Edge, and Firefox, supports WebAuthn. According to the FIDO Alliance, over 95% of iOS and Android devices are now passkey-ready, and more than one billion users have activated at least one passkey.
- Identity providers. Enterprise IdPs have added FIDO2 support across the board. Microsoft Entra ID supports device-bound passkeys on FIDO2 security keys and in Microsoft Authenticator, with synced passkey support in preview. Okta supports both passkeys and FIDO2 security keys as phishing-resistant authenticators, with attestation enforcement and AAGUID-based policy controls. Cisco Duo, Ping Identity, and other major IdPs also support FIDO2 enrollment for both credential types. This means your IdP is unlikely to be the blocker.
- Hardware security keys work universally across FIDO2-compatible platforms over USB, NFC, or Bluetooth. Leading manufacturers like Yubico ship multi-protocol keys (YubiKey 5 Series) that support FIDO2, PIV/Smart Card, and OTP, covering both modern and legacy authentication needs in a single token.
- Cross-platform portability gaps. Synced passkeys still face friction when moving between ecosystems. A passkey created in Apple Keychain does not sync natively to Google Password Manager or a Windows device. The FIDO Alliance is addressing this with the Credential Exchange Protocol (CXP), a draft specification developed by Apple, Google, Microsoft, 1Password, Bitwarden, and Dashlane to standardize secure, encrypted passkey transfers between providers. CXP is expected to reach a public review draft in 2026. Until then, third-party password managers like 1Password and Bitwarden offer the most consistent cross-platform passkey experience.
For enterprise planning, the key takeaway is that platform support is no longer the adoption barrier. The remaining friction is cross-ecosystem portability for synced passkeys and organizational readiness around enrollment, recovery, and policy enforcement. Those operational challenges deserve a closer look.
Challenges and Limitations To Plan For
No authentication method eliminates all risk. As you deploy passkeys vs security keys at scale, you will run into a small set of recurring challenges:
- Recovery workflows become a frontline control. If attackers can influence your help desk or provider reset process, they can bypass your strongest sign-in flow.
- Key loss becomes an availability problem. A lost token can lock out a user unless you pre-stage backups and admin workflows.
- Platform differences create friction. Browser and OS fragmentation can drive inconsistent WebAuthn UX and higher support load.
- Lifecycle overhead is real. Issuance, replacement, and revocation add work, especially as you expand token coverage beyond privileged users.
These are not theoretical. In 2023, MGM Resorts disclosed a social engineering-driven cyber incident with an estimated $100 million negative impact, per an MGM filing. Strong sign-in factors help, but you still have to harden identity operations, including service desk and fallback processes. The good news is that each of these constraints maps to a specific deployment practice you can put in place before enforcement.
Passkey and Security Key Deployment Best Practices
Whether you are rolling out passkeys, security keys, or both, these practices help you align the deployment with risk, usability, and operational reality:
- Segment by risk and assurance. Issue a hardware security key for privileged administrators, executives, and regulated roles where AAL3 or high-assurance attestation matters. Use synced passkeys for the broader workforce where AAL2 meets your requirements.
- Make enrollment and backups routine. Require passkey setup during device onboarding, and register multiple authenticators per user so you have a backup that does not push users back to easily phished factors.
- Harden account recovery and fallbacks. Treat account recovery as a control: tighten identity verification for help desk resets, restrict fallback methods, and monitor for abnormal fallback usage.
- Roll out in phases and monitor continuously. Pilot high-risk groups first, expand in waves, then enforce once user support and reset workflows hold up. Keep ongoing visibility for unusual travel, risky device changes, and suspicious re-registrations.
If you execute these four practices, you reduce lockouts and shrink the attacker's options without slowing users down. From there, you can build a clear segmentation model for which credential type to assign where.
How To Choose Between a Passkey and a Security Key
Choosing between a passkey and a security key should not be either/or. Most enterprises end up with a hybrid model because different populations need different assurance levels and recovery paths.
Use this segmentation to make the choice clear:
- Hardware security key: Use when you need AAL3, non-exportable keys, and strong device attestation for privileged access.
- Synced passkey: Use when AAL2 is sufficient and you want lower IT overhead for broad workforce access.
- Hybrid policy: Use security keys for administrators and regulated roles, and synced passkeys for the rest of your users.
- Recovery-first design: Treat reset and fallback paths as part of your control set, not an afterthought, because they can negate phishing-resistant MFA.
Once you have that segmentation, the next step is to make sure you can still find and stop identity-led activity after sign-in.
Singularity™ Identity
Detect and respond to attacks in real-time with holistic solutions for Active Directory and Entra ID.
Get a DemoKey Takeaways
Passkeys and physical security keys both deliver phishing-resistant authentication through FIDO2 cryptography, but they serve different enterprise needs. Synced passkeys prioritize user experience and scale for general workforces at AAL2.
Device-bound security keys provide non-exportable credentials, hardware-backed attestation support, and AAL3 alignment for privileged users and regulated environments. For most enterprises, you will deploy both in a risk-based model, then layer identity threat visibility on top to catch what authentication controls alone cannot.
FAQs
A passkey is a FIDO2 authentication credential that uses public-key cryptography instead of a shared secret like a password. When you register a passkey, your device generates a unique key pair: the private key stays on the device (or syncs through a cloud provider), and the server stores only the public key.
You authenticate with a biometric scan, PIN, or device unlock. Because the credential is bound to a specific domain and never transmitted, it stops phishing and credential stuffing at the protocol level.
AAL2 and AAL3 are NIST authentication assurance levels that define how strongly you can trust a sign-in. AAL2 requires phishing-resistant authentication, but it can allow synced credentials that move across devices under a provider's controls.
AAL3 raises the bar by requiring a hardware-backed, non-exportable key and stronger verifier requirements. In practice, that makes synced passkeys a fit for AAL2, while security keys or other device-bound authenticators are used for AAL3.
Passkey redaction attacks target the user interface layer by hiding or suppressing passkey prompts, pushing users into passwords, SMS, or other weaker fallbacks. Attackers can do this through adversary-in-the-middle proxies, manipulative login pages, or malicious browser extensions that alter what the user sees.
To reduce risk, minimize fallbacks, apply conditional access rules, and lock down extension policies. You should also alert on sudden spikes in fallback usage, which often signal active coercion.
A phased rollout usually starts with foundation work: confirm WebAuthn support, define AAL2 versus AAL3 policies, and build resilient reset and re-enrollment playbooks. Deploy security keys to privileged and high-risk roles first, then roll out synced passkeys in waves to the general workforce.
Enforce FIDO-only policies once adoption and support readiness are stable. Keep legacy factors only long enough to prevent lockouts during the transition, then retire them.
Yes, but you need guardrails. Store corporate passkeys inside managed containers or work profiles so the keys stay in your managed context, not in a personal cloud vault. Restrict passkey creation to managed browsers and apps where possible, and audit for corporate credentials registered under personal accounts.
Your account recovery model matters here too: if resets fall back to easily social-engineered steps, synced passkeys lose much of their assurance.
You use both because no single authenticator balances assurance, usability, and operations for every role. Give security keys to privileged users, administrators, and regulated roles that require non-exportable keys and strong proof of authenticator provenance.
Use synced passkeys for the broad workforce where AAL2 is sufficient and ease of use drives adoption. Then enforce consistent fallback and re-enrollment policies across both groups so attackers cannot downgrade users to weaker factors.
