top of page
Search
Writer's pictureMaranda Manning

The Pitfalls of User-Bound Passkeys and Why Device-Bound Passkeys Are the FutureA Brief History of Passkeys

Passkeys were developed as part of a global effort by the FIDO Alliance to replace passwords with more secure, phishing-resistant authentication. Passkeys use public-private key cryptography, where the private key stays securely on the user's device, protected by biometrics or a PIN. Tech giants like Apple, Google, and Microsoft have embraced passkeys, rapidly integrating them into their systems. Apple led the charge, embedding passkeys into iOS 16 and macOS Ventura, enabling users to sync their credentials across multiple devices for convenience. Google and Microsoft soon followed, adding passkey support across their platforms​.


The Adoption Challenge: The Three F's—Fear, Friction, and Flow


Despite the major tech players’ backing, passkey adoption has been slower than anticipated. Although 53% of users have enabled passkeys on at least one account, only 22% have done so across all possible accounts. Currently, only 20% of the top 100 websites support passkeys​.


The slow adoption rate can largely be attributed to the "three F's": fear, friction, and flow. Users are often fearful that they’ll lose access to accounts if something goes wrong with passkey authentication. Friction arises from the newness of the system—switching from familiar passwords to something unfamiliar requires effort and understanding. Lastly, the flow of users’ digital experiences can be disrupted when passkeys aren't universally supported, leading to inconsistencies across platforms​.


Vulnerabilities of User-Bound Passkeys


While user-bound passkeys are a significant improvement over passwords and OTP-based multi-factor authentication, they do present vulnerabilities. Since these passkeys are often synced across devices through cloud services, a single compromised device could expose all synced devices to fraud. This creates a broader attack surface and increases the risk of widespread account takeovers if just one link in the chain is breached​.


Why Device-Bound Passkeys Are the Future


Device-bound passkeys address many of these vulnerabilities by anchoring authentication to a specific device. Unlike user-bound passkeys, which are tied to individuals and can be synced across multiple devices, device-bound passkeys remain locked to one specific device—such as a phone, browser, or app. This ensures that even if one device is compromised, others remain secure. For example, if a phone is hacked, it wouldn’t grant access to a user’s laptop or other devices​


In addition, device-bound passkeys are quantum-safe, offering enhanced future-proofing for the coming age of quantum computing. Ideem’s Zero-Trust Secure Module (ZSM), which has NIST validation, offers USB Key-level security without requiring physical hardware, making it easier for organizations to adopt a robust authentication solution​


Conclusion

As the industry moves away from antiquated authentication methods like passwords and OTPs, passkeys represent a major leap forward. However, user-bound passkeys alone are insufficient for long-term security. By integrating device-bound passkeys with user-bound ones, organizations can offer a more secure and seamless user experience. This hybrid approach reduces the attack surface and future-proofs authentication in an increasingly connected world​.


Sources: 

0 views0 comments

Comments


Commenting has been turned off.
bottom of page