Passkeys are winning, but security leaders must raise the bar

Christopher Harrell

Christopher Harrell

6 minute read

Passwords are on their way out. In their place is a new form of login called passkeys that promises stronger security and less frustration. All passkeys offer the rare combination of improved usability and stronger security, especially when compared to passwords alone. But unless we act now, millions could be left more vulnerable than ever.

The global momentum behind passkeys represents one of the most exciting shifts in authentication history. The technical specifications that enable this shift are FIDO2 and WebAuthn, and their implementations are now widely known by the consumer-friendly name ‘passkeys’. As the creator of the first passkeys – passkeys in security keys – Yubico is proud and humbled to have helped initiate and continue to drive this transformation.

Yet, the work isn’t done. Not all passkeys are equal, not all users have the same needs, and leaving insecure fallback methods in place can provide a false sense of security.

Read below for how security leaders, builders, product managers, and individuals can make sure passkeys work for everyone.

Synced vs. device-bound passkeys: the critical difference
Synced passkeys

For many, passkeys are synonymous with synced passkeys where the private key is stored in the cloud and copied between devices. Synced passkeys offer a practical, user-friendly solution for some use cases, but they depend heavily on the security and availability of the sync mechanism, recovery systems and processes, and the cloud accounts they’re tied to.

For people and organizations that face higher risks, have greater sensitivity or accessibility needs, or individuals who just want the best protection for their finances or other critical accounts, synced passkeys aren’t enough.

Device-bound passkeys

Device-bound passkeys never leave the secure hardware where they are created and provide the strongest protection against phishing, account takeover, and recovery abuse. There are two primary implementations:

  • Smartphone / laptop based: These can be convenient, but aren’t always an available option and can provide inconsistent experiences. For example, most smartphone-based passkey solutions have usability challenges because of confusing QR codes, buggy or missing Bluetooth, and unreliable relay access.
  • Hardware security keys (like YubiKeys): The gold standard and original passkey, offering the highest security assurance by providing portable, cross-platform, and consistent passkey experiences. They serve as a root of trust for every use case, across borders and in high-risk situations.

Bottom line: Synced passkeys should be the baseline. Device-bound passkeys must be an option, and in some cases the requirement.

The recovery gap

Even with device-bound passkeys enabled, accounts remain vulnerable if weaker recovery methods are still allowed:

  • Text messages
  • Code-generation apps
  • Push notification approvals
  • Number matching prompts

Attackers understand this and actively downgrade to insecure, phishable mechanisms to avoid the phishing-resistant security passkeys provide.

CIOs and CISOs: demand configurability and control

Enterprise-grade protection means control over your authentication policies.

Passkeys in YubiKeys and Windows Hello for Business are better together, offering non-exportable credentials that cannot be silently synced, phished, or copied. These passkeys can provide clear visibility into how and where they are stored which enables more consistent support, audit, and incident response processes.

Key requirements to demand from identity providers and partners:

  • Enforce only device-bound passkeys in your identity providers
  • Require them by policy even for services outside your SSO
  • Disable synced passkeys for enterprise use
  • Use passkeys in security keys as a root of trust for self service recovery, transition, and step-up
  • Remove all non-FIDO fallback methods
  • Enforce only device-bound passkeys in your identity providers
  • Require them by policy even for services outside your SSO
  • Disable synced passkeys for enterprise use
  • Use passkeys in security keys as a root of trust for self service recovery, transition, and step-up
  • Remove all non-FIDO fallback methods

To make this work, the services you use have to allow it. Demand configurability from your identity providers, workforce tools, and partners. Protect your organization with authentication designed for the realities of your threat landscape.

Organizations that do this see fewer recovery events, lower costs, and greater resilience.

Product managers: build choice in

Don’t exclude security keys — it often takes more effort to block them than to support them. And if you’re stuck – technically or from a usability perspective – Yubico is here to help. We’ve partnered with governments, Fortune 500s, and identity platforms to solve many challenges at scale across the globe.

As a product leader or engineer rolling out passkey support in your application, you are shaping the future of digital identity and safety. If you’re building a banking app, social network, government portal, an identity provider, or anything else, you are also deciding who gets access to higher levels of protection.

Support portable hardware security keys like the YubiKey. This is not an extra feature, it’s imperative and should be available for all account and service levels for enterprises or for individuals.

Benefits

  • Enterprises who are offered strong security policies can save time and money, and harden recovery flows against social engineering.
  • High-value accounts can use the strongest phishing resistance to protect their, and your assets.
  • At-risk individuals and organizations ranging from journalists and whistleblowers to those securing political processes or members of marginalized communities depend on YubiKeys as a lifeline. Don’t put them at risk.
  • People with accessibility needs often prefer or need portable hardware security keys because of their predictable, tactile, and cross-platform experience that reduces screen reader challenges and eliminates complex or unfamiliar gestures.

The stakes are global and personal: Build a passkey future that works for everyone

Authentication should be adaptable and flexible, not rigid and monolithic. Higher-assurance security is not just for the enterprise; it’s a lifeline for millions. Here are just a few people and groups who need the strongest passkey protections the most:

  • Government officials, diplomats, and military leaders
  • Legal workers, judges, and law enforcement
  • High-profile executives, influencers, and celebrities
  • Developers and maintainers of software and systems
  • Security practitioners and researchers
  • Survivors of domestic violence or trafficking
  • Activists, journalists, and other vulnerable populations or organizations
  • Those without reliable access to a personal phone or computer
  • People with accessibility needs
  • Everyday individuals that want the best protection

A person or organization can become “at-risk” overnight through a political event, security incident, or public exposure. Having the ability to quickly improve security posture can dramatically increase safety and peace of mind.

Whether you lead a security program, build products for millions, or care about your own accounts:

  • Support or require security keys a core part of your passkey strategy
  • Demand configurability and the ability to disable insecure fallbacks
  • Ensure everyone has the option to choose the protection level they need

Together, let’s build a future where passwordless is not just possible – it’s flexible, resilient, and available to all.

For more information on passkeys, see Yubico’s new infographic and eBook.

, , ,
Talk to our teamTalk to our team

Share this article:
  • Your top YubiKey questions, answeredOver the 10+ years I’ve been at Yubico, I’ve had the pleasure of meeting customers, partners and many others talking about digital security. While every conversation is different, I am often asked many of the same questions about YubiKeys. One thing remains consistent: many people know they need better security, but they’re not sure what […]Read moreFAQYubiKey
  • Works with YubiKey Spotlight: Passkeys are here – are you ready?With 2025 at its midpoint, enterprises worldwide are grappling with how to protect their users and data against emerging challenges around user security. Since 2022, generative AI has fueled a 4,000% surge in phishing – exploiting human vulnerability in 68% of breaches. It’s no longer a question – the world has a password problem that […]Read morepartnerspasskeysWorks with YubiKeywwyk
  • Yubico LogoYubico liefert PIN-Verbesserungen mit dem neuen YubiKey 5 – Verbesserte PIN-SchlüsselUm sich auf die sich ständig weiterentwickelnden Cyber-Bedrohungen vorzubereiten, passen Regierungen weltweit die Authentifizierungsanforderungen für Online-Dienste an und aktualisieren sie, was direkte Auswirkungen auf viele Unternehmen und deren Mitarbeiter hat. Zwar gibt es derzeit keine universelle Regelung für eine robustere Multi-Faktor-Authentifizierung (MFA), doch wird deren Notwendigkeit in einer Reihe von Anforderungen hervorgehoben, darunter PSD2, DSGVO […]Read moreYubiKey
  • Yubico delivers PIN advancements with new YubiKey 5 – Enhanced PIN keysTo prepare for continuously evolving cyber threats, governments around the world are adapting and updating authentication requirements for online services which directly impact thousands of organizations and their employees. While there’s currently no universal regulation for more robust multi-factor authentication (MFA), the need is highlighted across a range of requirements including PSD2, GDPR, and the […]Read moreCompany NewsProduct NewsYubiKeyYubiKey 5 – Enhanced PINYubiKey 5 SeriesYubiKey as a Service