Skip to main content
Wake Forest University

Resist the phish: More on passkeys, the most phishing-resistant 2-step option

Modified on: Tue, Mar 4, 2025 2:25 PM

When discussing passkeys, it's important to understand the two main types: device-bound and synced. Ready to set up passkeys? go.wfu.edu/passkeys

What are Passkeys?

  • First, it is important to know that passkeys are a replacement for passwords. They are more secure and easier to use.
  • They may also be used as a 2nd factor (2-step verification) for our WFU Google Accounts.   
  • They work by using cryptographic keys that are unique to you and the website or app you're logging into.   

illustration of the differences between synced and device-bound passkeys. Device-bound passkey example is a USB security key as the one authenticator. Synced passkey illustration shows the interchangeable "synced" nature lf the "key" on various devices.


From Yubico's Q&A guide, "Everything You Need To Know About Passkeys"


Two broad categories of passkeys: Device-Bound and Synced

Device-Bound Passkeys:One "address:" security keys have their passkey bound to them

What they are:

  • These passkeys are stored directly on a specific device, like your phone, laptop, or a physical security key.   
  • They stay "bound" to that device and don't travel anywhere else.   

Security:

  • This offers very strong security because the passkey never leaves your device.   
  • This makes them highly resistant to phishing.

Convenience:

  • The drawback is that you can only use them on the device where they're stored.
  • If you lose that device, you might lose access to the accounts secured by those passkeys.   

Example:

  • Using a hardware security key (like a YubiKey) to log into your WFU account creates a device-bound passkey.

Synced Passkeys:

What they are:

  • These passkeys are stored in a secure cloud service, like Apple's iCloud Keychain or Google Password Manager.   
  • This allows them to "sync" across all your devices that are connected to that service.   

Convenience:

  • This makes logging in much easier, as you can use the same passkey on any of your devices.   
  • It also provides backup and recovery options if you lose a device.

Security:

  • Even when passkeys are synced using a cloud service like iCloud, the private key portion remains primarily within the Secure Enclave of your devices. This means it's heavily protected from software-based attacks.

Example:

  • Creating a passkey on your iPhone that then becomes available on your iPad and Mac.   

Key Differences Summarized:

  • Location: Device-bound are on a single device; synced are in the cloud.   
  • Convenience: Synced are more convenient; device-bound are less so.   
  • Security: Device-bound offer the highest security; synced are still very secure but with a slightly higher theoretical risk.   

Which is Better?

  • It depends on your priorities.
  • If maximum security is your top concern, device-bound passkeys are the way to go.
  • If you value convenience and easy access across multiple devices, synced passkeys are a great option.   
  • Many people will likely use a mix of both. For example, using device bound passkeys for very sensitive accounts like banking, and synched passkeys for more general use.
  • IS recommends setting up multiple passkeys, including synched (Google Password Manager, iCloud, Windows Hello), as well as device-bound (security key such as Yubikeys)

Ready to set up passkeys?

Visit go.wfu.edu/passkeys to learn how.

Was this answer helpful? Yes No

Sorry we couldn't be helpful. Help us improve this article with your feedback.