Device-Bound vs. Synced Credentials: A Comparative Evaluation of Passkey Authentication

TL;DR

This paper compares device-bound and synced passkey authentication methods, analyzing their security and usability differences, and highlights the security reliance on passkey providers in synced credentials.

Contribution

It categorizes passkey access levels, applies a security framework to compare device-bound and synced passkeys, and offers practical security recommendations.

Findings

Synced passkeys rely heavily on passkey providers for security.

Device-bound passkeys offer more security independence from providers.

Usability and security trade-offs differ between device-bound and synced passkeys.

Abstract

With passkeys, the FIDO Alliance introduces the ability to sync FIDO2 credentials across a user's devices through passkey providers. This aims to mitigate user concerns about losing their devices and promotes the shift toward password-less authentication. As a consequence, many major online services have adopted passkeys. However, credential syncing has also created a debate among experts about their security guarantees. In this paper, we categorize the different access levels of passkeys to show how syncing credentials impacts their security and availability. Moreover, we use the established framework from Bonneau et al.'s Quest to Replace Passwords and apply it to different types of device-bound and synced passkeys. By this, we reveal relevant differences, particularly in their usability and security, and show that the security of synced passkeys is mainly concentrated in the passkey provider. We further provide practical recommendations for end users, passkey providers, and relying parties.