LOGBOOK

HELP

Quiz Entry - updated: 2026.06.07

How do passkeys move between your devices, and what is the security trade-off of syncing them through a cloud?

Synced passkeys are copied between your devices via the platform vendor's cloud (Apple/Google/Microsoft), end-to-end encrypted before upload, so the provider itself cannot read or use them — but it ties you to that ecosystem.

Plain WebAuthn keys are device-bound (lose the device, lose the credential). Passkeys add synchronization: per c't (2023), the operating-system vendors back up and sync passkeys across your devices so you aren't locked out if one is lost.

  • The passkeys are encrypted before leaving the device, so "not even Apple, Google & Co." can decrypt them — only you can.
  • The downside is ecosystem lock-in: at the time of the article, Apple synced only with Apple devices, Android only with Android, and Windows didn't sync at all; cross-ecosystem export was largely unavailable.

A device-bound (non-synced) credential, by contrast, has no cloud copy at all — more isolation, but no built-in recovery.

Tip: Syncing fixes WebAuthn's worst usability flaw (losing your only authenticator) at the cost of trusting a vendor cloud — though end-to-end encryption keeps that cloud blind to the keys.

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: Jun 07, 2026