Cybersecurity 101back-iconWhat is a Device Bound Passkey?

What is a Device Bound Passkey?

A device-bound passkey binds a FIDO credential to its original authenticator and refuses to sync to other devices. Unlike standard passkeys, which credential managers can securely sync across trusted hardware, a device-bound passkey never leaves the device that created it. This gives organizations greater control over where authentication credentials reside.

Device-bound passkeys use FIDO standards and public-key cryptography. The private key stays protected within the authenticator and is never shared with the service, while the public key is registered with the relying party. Depending on the platform, the private key may also be protected by hardware-backed security such as a TPM, Secure Enclave, or Android StrongBox.

How does a device bound passkey work?

When a user registers with a compatible application or website:

  1. The authenticator generates a unique public and private key pair.
  2. The private key remains on the authenticator and cannot be synchronized or exported.
  3. The public key is registered with the service.
  4. During sign-in, the authenticator signs a cryptographic challenge after the user verifies their identity, such as with biometrics or a PIN.

Since the private key cannot be copied to another authenticator, attackers cannot reuse the credential on another device.

Device bound passkey vs synced passkey

Feature  Device-bound passkey  Synced passkey 
Storage  Bound to one authenticator  Synced across trusted devices 
Portability  Cannot be synchronized or exported  Available on multiple devices 
Recovery  Requires another authenticator or new enrollment  Easier through credential synchronization 
Best suited for  Enterprise and regulated environments  Consumer and everyday use 

Why do organizations use device bound passkeys?

Organizations that need stronger authentication assurance often choose device-bound passkeys because credentials remain tied to a single authenticator.

Key benefits include:

  • Phishing-resistant authentication without reusable passwords.
  • Reduced risk of credential theft through copying or synchronization.
  • Greater control over credential portability.
  • Support for authentication assurance requirements when combined with appropriate security controls.
  • Stronger Zero Trust authentication strategies.

These advantages make device-bound passkeys well suited for organizations with strict security and compliance requirements.

How Hexnode helps secure passkey-enabled devices

With Hexnode, IT administrators can:

  • Configure security policies across Windows, macOS, iOS, Android, ChromeOS, and Linux devices.
  • Integrate with Microsoft Entra Conditional Access to make access decisions based on device compliance for supported Android, iOS, and macOS devices.
  • Remotely manage enrolled devices and enforce security and compliance policies.
  • Maintain trusted, compliant endpoints that complement passwordless authentication strategies.

Together, endpoint management and passwordless authentication help strengthen an organization’s overall security posture.

FAQs

Yes. Organizations can require device-bound credentials where supported by their identity provider and authentication policies.

Users typically authenticate with another registered authenticator or complete the account recovery process before registering a new passkey.