Synced vs Device-Bound Passkeys: How User Convenience and Authentication Experiences Vary

What happens if a device with passkeys is lost or stolen?

Losing a device that holds your passkeys doesn't automatically put your data at risk. Passkeys are end-to-end encrypted, and without biometric verification (such as Face ID or Touch ID) or the device passcode, they can't be accessed. This ensures that even if a device is lost or stolen, unauthorized individuals can't decrypt the passkeys.

For synced passkeys

If you're using synced passkeys through a service like iCloud Keychain, you can remotely wipe the lost device using services like Find My to ensure all data is erased. Android users with Google Password Manager can sign out of their Google account remotely.

For device-bound passkeys

While the passkeys remain encrypted and inaccessible, you'll need to rely on alternative recovery methods since the passkeys can't be accessed from other devices.

‍

Can passkeys be copied or synchronized?

Synced passkeys: Yes, these are automatically copied and synchronized across all your devices via secure cloud storage (iCloud, Google password manager, or third-party password managers).

Device-bound passkeys: No, they can't be copied or synchronized. They remain exclusive to the device where they were created, offering tighter security but less convenience.

‍

How can users recover an account if the passkey has been deleted from their cloud password manager?

If a passkey has been deleted from the cloud manager and there are no other forms of MFA on the account, recovering the account can be challenging. This situation emphasizes the critical importance of establishing additional factors for account recovery. However, it is important to note that an account is only as secure as the weakest factor.

For organizations implementing passkeys, we recommend enforcing two additional forms of MFA for account recovery to enhance security and user convenience. This means that if a user loses or deletes their passkey, they will need to use two forms of MFA to recover their account.

Alternatively, users could use recovery codes that they have created and downloaded. However, If a user loses their recovery codes, deletes their passkey, and has no additional factor set up, they may lose access to their account. In such cases, their only option may be to contact support for assistance. The support team may be able to help the user recover their account, depending on company policy, after strong proof of identity is provided.

‍

Recent NIST updates on passkeys

In July 2025, NIST released the final version of SP 800-63-4, which officially recognizes syncable passkeys for AAL2 compliance. The updated guidelines clarify that when configured and secured correctly, synchronization of cryptographic material across cloud services is allowed, removing previous restrictions on synced authenticators. The new standards also mandate that AAL2 implementations must offer phishing-resistant multi-factor authentication options, making passkeys even more valuable for organizations seeking compliance.

For more details on these updates, see the NIST SP 800-63-4 digital identity guidelines.

For the fastest way to implement adaptive MFA and passkeys to secure your entire authentication workflow, learn more about integrating Authsignal with Auth0, AWS Cognito, Azure AD B2C, Duende IdentityServer, and more.