Are Passkeys Device Specific?

Are Passkeys Device Specific?#

Yes, passkeys can be device specific, but it depends on the operating system and the use of hardware security keys. On platforms like Windows, passkeys are generally tied to the device (as of August 2024). Also, on macOS when using Chrome, passkeys can be stored in a user’s Chrome profile, which is then also bound to this macOS device. Additionally, hardware security keys, such as YubiKeys, store passkeys that are specific to the key itself but can be used on different devices as long as the hardware security key is present. Passkeys on other platforms, like iOS, Android or macOS (storing passkeys in iCloud Keychain) as well as using a third-party password manager to store passkeys sync passkeys and are thus not device specific.

---

Understanding Device-Specific Passkeys#

Passkeys are a modern approach to authentication, designed to replace traditional passwords with a more secure and user-friendly alternative. Whether a passkey is device specific depends largely on the platform and the method of storage:

• Windows: On Windows devices, passkeys are typically tied to the specific device where they are created. This means that a passkey created on one Windows machine cannot be used on another unless it is explicitly synced using third-party password managers that can sync passkeys, e.g. 1Password, Dashlane or Bitwarden.

• Chrome on macOS (using Chrome profile): In Chrome on macOS, passkeys can be stored in a user's Chrome profile (which does not sync to other devices), so passkeys are in this case device specific. However, the user can also decide to store the passkeys in iCloud Keychain, which syncs them (even when he's using Chrome on macOS). On a browser like Safari, the passkeys are always synced.

• Hardware Security Keys: Devices like YubiKeys store passkeys on the hardware security key itself. While the passkey is specific to the YubiKey, the passkey can be used across any device that supports it. This makes YubiKeys a versatile option for users who need to authenticate across multiple devices.

Technical Implications#

Understanding the device-specific nature of passkeys is crucial for developers and product managers when designing authentication systems:

• Security Considerations: Device-specific passkeys can enhance security by reducing the risk of passkey theft, as they are not easily transferable. However, this can also limit user convenience, especially in multi-device environments.

• User Experience: For product managers, the ability to offer synced passkeys can significantly improve user experience and retention.

• Implementation Tips: When implementing passkeys, consider the target audience's devices and platforms. If your user base predominantly uses Windows, you may need to inform them of the device-specific nature of passkeys. For users on macOS, iOS or Android highlight the flexibility and portability of their passkeys.

In conclusion, while passkeys can be device-specific, the extent to which they are depends on the operating system and the use of hardware security keys.

---

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →