Passkey Sync - Cross-Device Credential Sharing
About 2 min read
Passkey sync is a mechanism that distributes the credential (private key) of a passkey to multiple devices via the cloud. With traditional FIDO2 authentication, the private key was bound to a single device, so the effort of re-registering credentials when a device was lost or replaced was a major barrier to adoption. Starting with Apple's 2022 announcement of passkey sync in the iCloud Keychain, Google and Microsoft followed suit, accelerating the spread of passwordless authentication.
Why Sync Became Necessary
Device-bound FIDO2 authentication, such as a security key, is ideal in terms of security but posed too high a hurdle for ordinary users. If you lose the key, you can no longer access your account, and every time you buy a new device you have to re-register with all services. This "inconvenience" was the biggest factor hindering the spread of passwordless authentication, and the sync feature was designed as the solution.
Sync Methods by Platform
| Platform | Sync infrastructure | Encryption method | Sync scope |
|---|---|---|---|
| Apple | iCloud Keychain | E2EE (inaccessible even to Apple) | All devices on the same Apple ID |
| Google Password Manager | E2EE (rolled out in stages from 2024) | Android / Chrome on the same Google account | |
| Microsoft | Windows Hello + Microsoft account | TPM integration + cloud sync | Windows devices on the same Microsoft account |
Every platform applies end-to-end encryption during synchronization. In Apple's case, the encryption key for the iCloud Keychain is generated on the device, and only encrypted data is stored on Apple's servers. In other words, the design ensures that even Apple itself cannot read the contents of the passkey.
How Sync Works - End-to-End Encryption
Even if a cloud provider's server is compromised, the private key cannot be extracted from the encrypted passkey data. However, if the account itself is hijacked (for example, if the iCloud account password is leaked and two-factor authentication is also bypassed), there is a risk that an attacker could add a new device and sync the passkeys. Account protection for cloud storage is the foundation of passkey sync security.
The Current State and Challenges of Cross-Platform Sync
As of 2025, the biggest challenge is that sync across platforms is not possible. A passkey created on an iPhone is not synced to Android, and vice versa. The FIDO Alliance is promoting the interoperability of "multi-device credentials," but the reality is that each platform prioritizes locking users into its own ecosystem.
As a practical workaround for this problem, third-party password managers such as 1Password and Dashlane have begun supporting cross-platform passkey sync. Because these tools operate independently of the OS's passkey infrastructure, they can share passkeys even between Apple devices and Android devices. The article password sync across multiple devices explains the specific setup steps.
The Trade-Off with Device-Bound Types
Highly convenient, and recoverable from the cloud even when a device is lost. Ideal for consumer-facing services. However, it depends on the security of the cloud account.
Because the private key never leaves the physical device, it is unaffected by cloud breaches. Suited to high-security enterprise environments. Recovery after loss is a challenge.
In corporate security policies, hybrid operations are increasing in which synced passkeys are permitted for general employees while security keys are mandated for administrator accounts. The article challenges of passkey migration explains the details of this operational design.
Common Misconceptions
We often hear the concern, "If passkeys are synced, don't they carry the same leakage risk as passwords?" However, passkey sync and password sync are fundamentally different. A password is a "shared secret" sent to the server, but a passkey's private key is never sent to the server. Sync occurs only between devices, and at authentication time only the signature for the challenge is sent to the server. Even if the sync path were compromised, the private key cannot be extracted from data encrypted with E2EE.Passwordless authentication books on Amazon let you learn about this mechanism in greater depth.
Adoption Decisions in Practice
When introducing passkey sync, it is important to survey the usage environment of the target users in advance. For an organization standardized on the Apple ecosystem, the iCloud Keychain alone is sufficient, but in a BYOD (bring-your-own-device) environment the cross-platform problem becomes apparent. Evaluate the risks of biometric authentication as well, and consider whether biometric authentication is appropriate as the identity verification method for synced passkeys.
Was this article helpful?