Sarah Lefavrais | IAM Product Marketing Manager
More About This Author >
Sarah Lefavrais | IAM Product Marketing Manager
More About This Author >
For many market analysts, cybersecurity agencies and authentication experts, passkeys, based on FIDO2 standard protocol, appear as the future proof authentication technology that will become mainstream within the next years.
"By 2027, more than 90% of MFA transactions using a token will be based on FIDO protocols natively supported in IAM tools."
- Gartner®, Market Guide for User Authentication, by James Hoover, Ant Allan, 12 November 2024
Why? Because passwordless FIDO authentication offers both improved security and user experience (UX).
However, it’s important to understand that not all passkeys are the same. We consider that the Gartner guidance offers clarity on how organizations should adopt different types of passkeys – especially the distinction between synced (multidevice) and device-bound passkeys – to maximize security and efficiency.
What are Passkeys?
Passkeys are phishing-resistant credentials based on FIDO2 standards. Unlike passwords, they cannot be reused, guessed, or phished. They are stored on the user’s device and secured by biometric or PIN-based local authentication.
There are two main types of passkeys:
Device-bound passkeys
According to Gartner, “Device-bound passkeys are bound to a hardware authenticator or ‘security key’ (a ‘roaming’ authenticator), or to a user’s PC, tablet, or smartphone via a software authenticator (a ‘platform’ authenticator). In some instances it is possible to use a smartphone with a platform authenticator as a roaming authenticator. Device-bound passkeys are typically combined with a local authentication ‘gesture’ such as a PIN or a biometric method to provide MFA.”
- Gartner®, Innovation Insight for Many Flavors of Authentication Token, by James Hoover, Ant Allan, 13 January 2025
Synced passkeys
Gartner explains synced, or multidevice, passkeys as follows:
“Multidevice passkeys can be synchronized across a person’s devices (smartphones, tablets, PCs); that is, across OSs and browsers from the same vendor, anchored to the person’s Apple, Google or Microsoft accounts, or across devices with the same personal password manager (PPM) app. Authentication from each device is typically enabled by a device-native biometric method, ‘unlocking’ the credentials. Multidevice passkeys on a smartphone can be used on another unsynced device via a QR code-initiated Bluetooth connection using the Client to Authenticator Protocol (CTAP).”"
- Gartner®, Innovation Insight for Many Flavors of Authentication Token, by James Hoover, Ant Allan, 13 January 2025
Choosing an Appropriate Passkey for the Authentication Flow
Given their distinct features, device-bound and synced passkeys work best in distinct scenarios.
For Workforce Multi-Factor and Strong Customer Authentication, Prioritize Device Bound
As noted, device-bound passkeys are better suited for workforce MFA (Multi-Factor Authentication) and SCA (Strong Customer Authentication). Why?
- Phishing Resistance: Passkeys tied to a specific device provide enhanced security, as the private key remains securely stored and never leaves the device. Even if a user is tricked by a phishing attempt, the authentication process will not succeed.
- Compliance and Assurance: In many enterprise environments, especially those handling critical systems or sensitive information, there are strict requirements for strong multi-factor authentication. Device-specific credentials are better suited to meet these higher assurance standards.
- Reduced Attack Surface: Since credentials can’t be synced across devices, attackers are unable to retrieve them remotely, even if they gain access to the user’s account.
And, as Gartner underscores:
“Wherever possible, migrate to inherently phishing-resistant MFA, such as public-key tokens. For workforce MFA and SCA, prefer FIDO2 tokens (e.g., WHfB or roaming authenticators with device-bound passkeys). This approach is increasingly being successfully adopted. While multidevice passkeys may not satisfy workforce MFA or SCA needs, they can add value in customer use cases as a strong alternative to passwords, and with better UX.”
- Gartner, Innovation Insight for Many Flavors of Authentication Token, By Ant Allan, James Hoover, Yemi Davies, 13 January 2025
Thales enables device-bound passkeys through secure mobile and hardware-based options – especially critical for banking and other high-assurance use cases. For those use cases, synced passkeys are not sufficient for workforce MFA or SCA due to the potential risks associated with cloud synchronization, including unauthorized access and decentralized credential compromise.
Synced Passkeys: Better UX for Low-Risk Consumer Scenarios
While device-bound credentials deliver higher assurance, they may introduce friction in low-risk consumer use cases. Here, synced passkeys offer a good balance of usability and security.
Thales considers synced passkeys are a good fit where user convenience takes priority, such as in consumer-facing applications that don’t fall under strict compliance rules like PSD2. Benefits include:
- Improved User Experience: Synced passkeys allow users to authenticate seamlessly across devices without the need to re-register each one, streamlining the onboarding process.
- Stronger Security Than Passwords: While not as robust as device-bound passkeys, cloud-synced credentials still offer significant improvements over traditional password-based authentication.
- Reduced Support Burden: Removing the need for password resets, account lockouts, and complex recovery processes reduces IT workloads and operational costs, particularly in large-scale environments.
The Bigger Picture: Phishing Resistant MFA and Better Recovery
Ultimately, regardless of industry or use case, Gartner recommends moving away from legacy authentication methods and toward inherently phishing-resistant MFA, such as FIDO-based passkeys.
According to Gartner, IAM leaders should:
- “Ensure user authentication methods — with or without tokens — are fit for purpose by evaluating, across different use cases, total cost of ownership (TCO), user experience (UX) and other needs and constraints, as well as authentication strength (including resistance to phishing and other attacks)."
- “Reduce risks associated with legacy implementations by divesting from known-weak legacy methods and migrating to inherently phishing-resistant MFA wherever possible. Implement compensating controls where this is not possible."
- “Enhance the security of enrolment/credentialing and account recovery processes by investing in appropriate identity verification or similar tools."
- “Lower barriers to customers’ adoption of new methods by simplifying enrollment ceremonies and optimizing customer UX."
- Gartner, Innovation Insight for Many Flavors of Authentication Token, By Ant Allan, James Hoover, Yemi Davies, 13 January 2025
In regard to lowering barriers to adoption, keep in mind that, according to the 2025 Thales Digital Trust Index, 25% of consumers have abandoned a brand due to a lengthy sign-up process.
Why the Shift to Passkeys Can’t Wait
Adopting passkeys has never been so important. Not only are regulations ramping up, but attackers have adapted to bypass traditional authentication methods. Credential stuffing attacks take advantage of password reuse, while clever phishing campaigns leverage the inherent weakness in SMS and email OTPs.
Meanwhile, major platforms are rapidly enabling passkey support:
- Apple and Google now allow users to generate and sync passkeys via their native password managers
- Major websites and services, from Amazon to PayPal, have begun rolling out passkey support for consumers
- 87% of US and UK workforces are deploying passkeys for employee sign-ins
These trends make it essential for organizations to evaluate passkey deployment strategies now, before attackers and compliance auditors beat them to it.
Pragmatic Best Practices for Passkey Adoption
Ultimately, it’s essential to take a pragmatic approach to passkey adoption. Use device-bound passkeys where assurance matters most, such as in enterprise workforce environments or highly sensitive B2B and B2C environments. Use synced passkeys, however, where convenience is more important, such as in user-facing apps or lower-risk customer authentication scenarios.
By aligning your passkey strategy with your risk profile, user base, and business goals, you can move beyond passwords without compromising security or frustrating your users.
Learn how passkeys bound to Thales hardware FIDO authenticators, Thales Mobile Protector App for Digital Banking and Thales SafeNet Mobile PASS+ App for Workforce deliver strong, passwordless security tailored to high-assurance environments.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.