How do passkeys move between your devices, and what is the security trade-off of syncing them through a cloud?
Synced passkeys are copied between your devices via the platform vendor's cloud (Apple/Google/Microsoft), end-to-end encrypted before upload, so the provider itself cannot read or use them — but it ties you to that ecosystem.
Plain WebAuthn keys are device-bound (lose the device, lose the credential). Passkeys add synchronization: per c't (2023), the operating-system vendors back up and sync passkeys across your devices so you aren't locked out if one is lost.
- The passkeys are encrypted before leaving the device, so "not even Apple, Google & Co." can decrypt them — only you can.
- The downside is ecosystem lock-in: at the time of the article, Apple synced only with Apple devices, Android only with Android, and Windows didn't sync at all; cross-ecosystem export was largely unavailable.
A device-bound (non-synced) credential, by contrast, has no cloud copy at all — more isolation, but no built-in recovery.
Tip: Syncing fixes WebAuthn's worst usability flaw (losing your only authenticator) at the cost of trusting a vendor cloud — though end-to-end encryption keeps that cloud blind to the keys.