Passkeys in Microsoft 365: Device-Bound vs. Syncable

What exactly is a device-bound passkey?

A device-bound passkey is a FIDO2 Discoverable Credential that is bound to one specific authenticator¹. This means that the passkey cannot be transferred to another device or medium. For example, consider a FIDO2 key: it contains credentials that remain on the device itself.

Key features:

• Bound to one device: The passkey remains local to the device.
• Phishing-resistant: It is a secure way to gain access without being vulnerable to phishing attacks.
• Alternative name: Formerly known as single-device passkeys.

 

What is a syncable passkey? 🔄

A syncable passkey is designed with usability in mind. This passkey can be backed up and restored, allowing sharing between devices.

Characteristics of syncable passkeys:

• Backup and restore possible: You can restore your passkey if you lose or replace your device.
• Sharing between devices: Useful for people who use multiple devices.
• User-friendly: Reduces friction for end users.

When to choose syncable passkeys?

• Suitable for environments where ease of use is more important than maximum security.
• Ideal for personal users and businesses without heavy regulations.

 

 

The pros and cons of passkeys ⚖️

Device-Bound Passkey:
Provides maximum security without risk in synchronization. Non-transferable and unrecoverable, providing cost and hassle in case of loss. Syncable Passkey:
User-friendly with backup and restore functions. Suitable for multiple devices, but less secure during synchronization and less suitable for regulated environments.

 

Which passkey suits your situation? 🤔

Choosing between a device-bound or syncable passkey depends entirely on your needs:

• Need tight security? Choose a device-bound passkey.
• Focus on ease of use? Go for a syncable passkey.

Microsoft supports several types of passkeys, so you can choose a solution that fits your security and usage requirements.

 

 

Why choose passkeys? 🚀

With the growing threat of phishing attacks, it is essential to take a more secure approach to authentication. Passkeys provide the solution that MFA methods such as push notifications and TOTP (Time-Based One-Time Passwords) cannot guarantee.

Problems with current MFA methods:

• Push notifications and TOTPs can be intercepted.
• Hardware OTP and passwordless logins via phones are vulnerable.

Benefits of passkeys:

• No passwords required (so no password management either!).
• Impossible to phish due to local binding to a specific device.
• User-friendly and safer.

 

 

Conclusion: The power of choice 💪🔑

Passkeys offer a robust and future-proof solution for securing digital access. Whether you choose maximum security with device-bound passkeys or more flexibility with syncable passkeys, both methods help us take a step further into a world without passwords. Have questions about implementing passkeys or want custom advice? Let us know! 😊 🔒 Say goodbye to passwords and embrace the future of security with passkeys!

 

Frequently asked questions (FAQ) about Passkeys 🔑❓

Below are answers to frequently asked questions about passkeys, so you know exactly how they work and what they can do for you.

 

1. What are passkeys?

Passkeys are a secure and easy-to-use substitute for passwords. They are based on the FIDO2 standard and can provide phishing-resistant authentication. Instead of a password, you store a cryptographic key on your device, which is used to verify your identity².

 

2. How do passkeys differ from traditional MFA methods?

Traditional methods such as push notifications, TOTP codes and hardware tokens are susceptible to phishing attacks. Passkeys are designed to prevent phishing because they use asymmetric cryptography that only works with the right device.

 

3. What happens if I lose my device?

• Device-bound passkeys: You can’t restore them. You have to set a new passkey on another device.
• Syncable passkeys: You can restore your passkey from a backup and regain access.

 

4. Are passkeys safe for businesses?

Yes, device-bound passkeys in particular provide maximum security. They are ideal for regulated environments where data should never be synchronized or backed up.

 

5. Wat zijn de kosten van het implementeren van passkeys?

• Device-bound passkeys: Cost may be higher due to purchase of hardware (such as security keys).
• Syncable passkeys: Often cheaper because they rely on existing cloud services and devices.

 

6. What are the limitations of passkeys?

• Device-bound passkeys: No recovery options if lost.
• Syncable passkeys: Potentially less secure in highly regulated environments due to the possibility of synchronization.

 

7. Why are passkeys important for admins?

Passkeys offer admins a powerful solution against phishing, data breaches and password problems. Passkeys allow administrators to improve security by replacing traditional passwords with phishing-resistant authentication. This reduces risk, enhances the user experience and makes it easier to meet strict security and compliance requirements.

 

References

 

¹https://techcommunity.microsoft.com/blog/identity/public-preview-expanding-passkey-support-in-microsoft-entra-id/4062702 ²https://support.microsoft.com/windows/passkeys-overview-301c8944-5ea2-452b-9886-97e4d2ef4422

 

 

About the author

My name is Alta Martes, a specialist in Microsoft 365 and Google Workspace, with a focus on modern workplace management, cloud security and identity & access management. With years of experience, I help organizations optimize their IT infrastructure and create a secure, efficient digital workplace. 🎯 Need help with your Microsoft 365 strategy?
Click below and find out how we can support your organization:

Schedule a no-obligation consultation