To understand device-bound passkeys, one must first understand the underlying technology of FIDO2/WebAuthn. Unlike passwords, passkeys are based on public-key cryptography. When you register for a website, your device creates a unique key pair: a private key and a public key. The public key is sent to the website’s server, while the private key never leaves your device.
This is the story of "Device-Bound Passkeys"—the high-security, unshakeable cousins of the standard digital credentials we use every day. The Problem: The "Ghost" in the Machine device-bound passkeys
Synced passkeys, while convenient, introduce a "wide" blast radius. If a user’s Google account is compromised, the attacker potentially gains access to every synced passkey across all the user's devices. Device-bound passkeys offer a "narrow" blast radius. If a single hardware token is stolen, the user knows exactly which services are at risk and can revoke that specific key. Furthermore, enterprises can enforce policies requiring device-bound credentials for sensitive systems, ensuring that employees cannot access critical infrastructure from an unmanaged or personal device. The public key is sent to the website’s
They are bound to that device by physics and cryptography. If a user’s Google account is compromised, the