TL;DR: Synced passkeys copy the private key across devices through a cloud service, which expands the attack surface and enables bypass techniques such as JavaScript injection and signed assertion hijacking, according to Versasec’s analysis. Device-bound FIDO2 keys avoid that syncing risk by keeping the private key on a single hardware token.
NHIMG editorial — based on content published by Versasec: The Hidden Risk of Synced Passkeys: Why FIDO2 Device-Bound Passkeys are the Secure Choice
Questions worth separating out
Q: How should security teams handle synced passkeys in high-risk environments?
A: Treat synced passkeys as a portability trade-off, not a default secure setting.
Q: Why do synced passkeys create more governance risk than device-bound keys?
A: Synced passkeys increase governance risk because the private key can exist on multiple devices and depend on a cloud sync path, account recovery, and endpoint trust.
Q: What should organisations get wrong about passwordless MFA and passkeys?
A: The common mistake is assuming passwordless automatically means lower risk.
Practitioner guidance
- Classify passkeys by portability risk Separate synced passkeys from device-bound FIDO2 keys in policy, inventory, and risk reviews so the organisation can apply different assurance levels to different authentication paths.
- Limit synced passkeys to low-impact access Use synced credentials only where user convenience outweighs the impact of device replication, and prohibit them for privileged or high-sensitivity roles where blast radius matters.
- Review the sync and recovery control plane Validate the security of cloud sync accounts, browser trust, device enrolment, and account recovery because those layers can undermine the assurance of a strong passkey.
What's in the full article
Versasec's full blog post covers the operational detail this post intentionally leaves for the source:
- The article's explanation of how synced passkeys behave across operating systems and cloud-backed credential stores.
- The vendor's discussion of FIDO2 device-bound passkeys and why hardware locality changes the risk profile.
- The examples cited from SquareX and DEF CON showing how passkey attack paths can be demonstrated in practice.
- The product context for vSEC:CMS, including how the vendor positions issuance and lifecycle management of hardware keys.
👉 Read Versasec's analysis of synced passkeys and device-bound FIDO2 security →
Synced passkeys and device-bound keys: are your controls keeping up?
Explore further
Synced passkeys create ephemeral credential trust debt: The security value of a passkey is not only in cryptography but in the control boundary around the private key. When that key is copied through a sync service, the organisation takes on trust debt across devices, recovery paths, and account synchronisation logic. The practical conclusion is that portability must be treated as an exposure multiplier, not a neutral convenience feature.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A separate finding from our research shows that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which helps explain why portable credential models are so difficult to govern.
A question worth separating out:
Q: How can IAM teams decide between synced and device-bound passkeys?
A: Choose the model based on access criticality and operational tolerance for credential spread. Synced passkeys may fit lower-risk user populations, but device-bound keys are better for administrative access, high-value targets, and environments where a copied credential would enlarge attack surface or complicate response.
👉 Read our full editorial: Synced passkeys widen the attack surface of passwordless MFA