With Passkeys, Microsoft is taking an important step towards a passwordless future. But not all passkeys are the same: there are two different variants, which differ primarily in terms of where the key is stored and how it is accessed.
Whether locally on the device (device-bound) or across devices in the cloud – both variants have their strengths and specific use cases.

In this FAQ, we explain the two Microsoft passkey types, their differences and when which variant is best suited.

• The private key is permanently bound to a device and is not synchronized.
• The user authenticates himself via biometric data (fingerprint) or PIN on this specific device.
• The device communicates with an identity provider (e.g. Azure AD/Microsoft Entra) that has stored the user’s public key.
• Security: The key can onlybe used onthis device, which offers additional security but less flexibility.

• The private key is synchronized via various platforms or password managers(e.g. iCloud, Google Password Manager, 1Password).
• The user can use the passkey on several devices.
• Here, too, authentication is carried out using biometric data or PIN and WebAuthn, but the key is more portable.
• Advantage: Convenience, because you are not tied to a single device.

Both variants use public-private key cryptography:

• Private key remains with the user (synchronized on device or encrypted in the cloud)
• Public key is stored with the service/identity provider (e.g. Azure AD).
• Login is by cryptographic challenge-response, not by passwords.