By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: VersasecPublished November 20, 2025

TL;DR: Synced passkeys copy the private key across devices through a cloud service, which expands the attack surface and enables bypass techniques such as JavaScript injection and signed assertion hijacking, according to Versasec’s analysis. Device-bound FIDO2 keys avoid that syncing risk by keeping the private key on a single hardware token.


At a glance

What this is: This article argues that synced passkeys weaken passwordless MFA by creating a broader exposure path than device-bound FIDO2 keys.

Why it matters: That matters because identity teams must decide whether convenience-driven credential portability is acceptable for phishing-resistant access, especially where credential theft or sync compromise would affect both human IAM and credential governance.

👉 Read Versasec's analysis of synced passkeys and device-bound FIDO2 security


Context

Synced passkeys are a convenience layer on top of passwordless authentication, but the core security question is where the private key lives and how widely it can move. When that key is replicated across devices through a cloud service, the identity control shifts from a single trusted hardware boundary to a distributed trust model that is harder to govern.

For IAM and identity security teams, the issue is not whether passkeys are stronger than passwords. The issue is whether synced credential portability creates a governance gap between authentication convenience, device trust, and lifecycle control, especially when phishing-resistant access is expected to reduce risk rather than relocate it.


Key questions

Q: How should security teams handle synced passkeys in high-risk environments?

A: Treat synced passkeys as a portability trade-off, not a default secure setting. Use them only where exposure from device replication is acceptable, and reserve device-bound FIDO2 keys for privileged accounts, sensitive applications, and regulated workflows. The decision should be based on blast radius, recovery risk, and how much control the organisation needs over the credential boundary.

Q: Why do synced passkeys create more governance risk than device-bound keys?

A: Synced passkeys increase governance risk because the private key can exist on multiple devices and depend on a cloud sync path, account recovery, and endpoint trust. That widens the control surface beyond the authenticator itself. Device-bound keys keep the secret on one physical token, which is easier to contain, revoke, and audit.

Q: What should organisations get wrong about passwordless MFA and passkeys?

A: The common mistake is assuming passwordless automatically means lower risk. Passwordless authentication can still be weakened by portable credential models, weak recovery, and unsafe sync ecosystems. Security teams should evaluate where the private key lives, how it is recovered, and whether the organisation can bound the credential’s spread across devices.

Q: How can IAM teams decide between synced and device-bound passkeys?

A: Choose the model based on access criticality and operational tolerance for credential spread. Synced passkeys may fit lower-risk user populations, but device-bound keys are better for administrative access, high-value targets, and environments where a copied credential would enlarge attack surface or complicate response.


Technical breakdown

Why synced passkeys expand the trust boundary

A passkey is a public-private key pair used for phishing-resistant authentication. With synced passkeys, the private key is backed up and copied across devices through a cloud account, which means the protected secret no longer stays bound to one device boundary. That changes the trust model from possession of a single hardware token to trust in the sync ecosystem, account recovery path, and device enrolment process. Once the key exists in multiple places, compromise paths include account takeover, sync abuse, and downstream device inheritance. For identity teams, the architectural question is not convenience versus inconvenience. It is whether the organisation is willing to make the authentication factor itself portable across endpoints.

Practical implication: treat synchronisation as part of the authentication attack surface, not just a user-experience feature.

How device-bound FIDO2 passkeys reduce credential portability risk

Device-bound passkeys keep the private key on a single physical authenticator such as a hardware token or secure chip and do not allow export or syncing. That preserves a narrow trust boundary, because the secret does not traverse a cloud backup channel or appear on multiple devices. The benefit is not that the cryptography is different, but that the lifecycle of the credential is more controllable: issuance, revocation, loss handling, and replacement all map to a single object. In practice, this aligns better with privilege containment and device assurance than synced passkeys do, especially for higher-risk users or administrative workflows.

Practical implication: reserve device-bound keys for accounts where portable credential exposure would materially increase blast radius.

Where signed assertion hijacking fits into the passkey threat model

Attack demonstrations such as signed assertion hijacking show that an attacker does not always need to steal the private key directly. If they can influence the browser session, sync path, or user enrolment flow, they may be able to trigger valid assertions or redirect authentication outcomes in ways that still satisfy the protocol. That is why passkey security cannot be assessed only at the cryptographic primitive level. The real control plane includes browser integrity, device trust, sync account protection, and recovery processes. Any weakness in those adjacent layers can undermine the assurance that passwordless authentication is meant to provide.

Practical implication: assess passkey assurance across browser, sync, and recovery controls, not only at the authenticator layer.


Threat narrative

Attacker objective: The attacker aims to impersonate the user and gain authenticated access by exploiting the portability and trust assumptions of synced passkeys.

  1. entry via abuse of the synced passkey ecosystem, including the cloud account or browser path that mediates credential portability.
  2. escalation through signed assertion hijacking or related manipulation that allows the attacker to obtain a valid authentication result without directly exporting the key.
  3. impact through impersonation of the user across multiple trusted devices, widening account access beyond the original hardware boundary.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Synced passkeys create ephemeral credential trust debt: The security value of a passkey is not only in cryptography but in the control boundary around the private key. When that key is copied through a sync service, the organisation takes on trust debt across devices, recovery paths, and account synchronisation logic. The practical conclusion is that portability must be treated as an exposure multiplier, not a neutral convenience feature.

Device binding remains the cleaner governance model for high-risk access: FIDO2 device-bound passkeys preserve a single-credential boundary that is easier to issue, revoke, and contain. That matters for privileged users and sensitive workflows because lifecycle control is still anchored to a tangible authenticator instead of a distributed sync ecosystem. Practitioners should map authentication assurance to access criticality rather than standardising on the most portable option.

Authentication assurance now depends on the surrounding control plane: Passkey implementations inherit risk from browser integrity, sync account security, and recovery processes. This is where identity governance meets endpoint assurance, because a strong cryptographic factor can still be weakened by weak enrolment or recovery assumptions. The implication is that passwordless programmes need cross-domain ownership, not just IAM configuration.

Access review processes assume credentials are stable enough to review, but synced passkeys can move faster than governance cycles: That assumption fails when a credential can be replicated to multiple endpoints and reappear through synchronisation or recovery. The implication is that teams must rethink what they are certifying: not just the user, but the portability model of the credential itself.

Named concept: credential portability blast radius: The more places a passkey can appear, the harder it is to bound the impact of device loss, sync compromise, or recovery abuse. That is a governance problem, not just an authentication design problem. Practitioners should classify portable passkeys as a distinct control category with tighter approval and exception handling.

From our research:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • A separate finding from our research shows that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which helps explain why portable credential models are so difficult to govern.
  • That visibility and confidence gap is why identity teams should review Ultimate Guide to NHIs , Key Challenges and Risks when assessing synced credential exposure.

What this signals

Portable authentication is becoming a governance issue, not just an authentication feature. When a credential can follow the user across devices, the identity programme has to account for sync ecosystems, recovery paths, and endpoint trust as part of access assurance.

Credential portability blast radius: this is the control problem that synced passkeys introduce. The more devices and recovery paths that can surface the same private key, the less meaningful a narrow access review becomes unless the programme also tracks where the credential can exist.

For teams building passwordless roadmaps, the practical signal is to segment by risk tier and preserve hardware-bound controls for privileged users. That approach aligns better with least privilege and with the wider identity lifecycle model covered in Ultimate Guide to NHIs.


For practitioners

  • Classify passkeys by portability risk Separate synced passkeys from device-bound FIDO2 keys in policy, inventory, and risk reviews so the organisation can apply different assurance levels to different authentication paths.
  • Limit synced passkeys to low-impact access Use synced credentials only where user convenience outweighs the impact of device replication, and prohibit them for privileged or high-sensitivity roles where blast radius matters.
  • Review the sync and recovery control plane Validate the security of cloud sync accounts, browser trust, device enrolment, and account recovery because those layers can undermine the assurance of a strong passkey.
  • Anchor privileged access to hardware-bound authenticators Require device-bound FIDO2 keys for administrative access and other high-risk workflows so the credential stays attached to a single physical device boundary.

Key takeaways

  • Synced passkeys improve usability but expand the trust boundary in ways that identity teams must govern explicitly.
  • Device-bound FIDO2 keys keep the private key anchored to one physical authenticator, which materially reduces credential portability risk.
  • Passwordless programmes need policy tiers, recovery scrutiny, and risk-based assignment, or they will trade phishing resistance for a broader attack surface.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Synced credential portability maps directly to credential lifecycle and rotation risk.
NIST CSF 2.0PR.AC-4The article is fundamentally about access control boundaries and credential governance.
NIST SP 800-53 Rev 5IA-5Authenticator management covers issuance, storage, and lifecycle of passkey credentials.
NIST Zero Trust (SP 800-207)Passkey assurance depends on continuous trust in device and session context.
NIST SP 800-63SP 800-63BThe post focuses on authenticators and phishing-resistant authentication assurance.

Classify synced passkeys separately from device-bound keys and restrict portable credentials for sensitive access.


Key terms

  • Synced Passkey: A synced passkey is a passwordless credential whose private key is backed up and copied across multiple devices through a cloud service. That portability improves convenience but widens the trust boundary, because the same credential can depend on account recovery, device enrolment, and sync integrity rather than one hardware device only.
  • Device-Bound Passkey: A device-bound passkey is a passwordless credential whose private key stays on one physical authenticator, such as a hardware token or secure chip. The key cannot be exported or synchronised, which makes the credential easier to contain, revoke, and map to a single trusted device boundary.
  • Credential Portability: Credential portability is the degree to which an authenticator can move, replicate, or reappear across devices and environments. Higher portability can reduce user friction, but it also increases the number of places an attacker may target and complicates governance over where access really exists.

What's in the full article

Versasec's full blog post covers the operational detail this post intentionally leaves for the source:

  • The article's explanation of how synced passkeys behave across operating systems and cloud-backed credential stores.
  • The vendor's discussion of FIDO2 device-bound passkeys and why hardware locality changes the risk profile.
  • The examples cited from SquareX and DEF CON showing how passkey attack paths can be demonstrated in practice.
  • The product context for vSEC:CMS, including how the vendor positions issuance and lifecycle management of hardware keys.

👉 Versasec's full post covers the attack demonstrations, sync risks, and hardware-bound alternative in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org