As safe as syncing passwords.
Passwords are easy. We understand what it takes to make them more (or less) secure. Passkeys are a little harder to understand, partly because they depend more on behind-the-scenes security measures we don’t see.
Fortunately, the benefits and risks of sharing passkeys across multiple devices via a password manager are almost identical to doing the same with passwords.
Syncing passkeys across devices
Syncing passkeys with a password manager is about as safe as syncing passwords with one. A thief would need to break into both your device and your vault to get them, which is extremely unlikely. With good security habits, syncing makes passkeys safe and easy to use.
Synchronized passkeys
Related
What Is a Passkey?
Passkeys are a new form of signing in that promise to be easier and more secure. I'll walk you through some of the high level concepts and how they work, and how they keep you safer than passwords.#157308
Passkeys are designed to be unique to, and stored on, each device. So, for example, if you use passkeys for your Google account, then:
- Setting up a passkey to sign in to Google on your computer creates one passkey that is stored on your computer.
- Setting up a passkey to sign in to Google on your laptop creates a different passkey that is stored on your laptop.
- Setting up a passkey to sign in to Google on your phone creates a third, unique passkey that is stored on your phone.
You need to set up a passkey for each device, typically by signing in some other more cumbersome way1 and then responding “Yes” when the process completes and you’re offered the option to set up a passkey.
Some password vaults now allow you to store your passkey not on each device but in your password vault instead. As a result, you have one passkey for that account that you can use on any device (assuming your password vault is installed and unlocked on each device). This means:
- You set up a passkey for an account only once.
- Once your password vault synchronizes, you can sign in to that account using its passkey on any of your devices.
It’s quite convenient… exactly as convenient as letting your password vault hold usernames and passwords for accounts that don’t use passkeys.
That doesn’t mean there aren’t risks, though.
Help keep it going by becoming a Patron.
Related
What’s the Best Password Manager in 2025?
Overwhelmed by too many password manager choices? I’ll walk you through the best current options, what makes them different, and how to pick the one that fits you best. The most important step? Start using one today for safer, easier, and more-secure logins.#148053
The risk
Let’s say you use your password manager to store passkeys and share them across devices, as I do using 1Password.
And let’s say that your laptop, which has your password manager installed, is stolen.
The thief would have to:
- Break into your laptop. They’d have to figure out how to sign in as you and then run the password manager.
- Break into the password manager. The only pragmatic way to do this is to have your master password. As the vault itself is stored encrypted, cracking it is impractical2.
There are scenarios where your own behavior can compromise both of those. For example,
- If your laptop signs in automatically, and
- You have a weak master password for your password manager, and
- They steal your laptop while it’s running and you have a long auto-lock timeout for both the laptop and the password vault,
then you’ve arranged a potential perfect storm. But the laptop and the password vault would both need to be compromised, or access couldn’t happen.
It’s all pretty darned unlikely.
Here’s the thing: nothing about what I’ve just described is unique to passkeys.
Related
Why Password Managers Are [Still] Safer than the Alternatives
If you're not using a password manager, you're likely compromising your security more than necessary. Here's why using one is safer.#5555
Passkeys aren’t the issue
The compromise I described above applies equally to accounts that use passwords. In other words, it applies to all the accounts you use today.
If someone somehow gains access to your password vault, they’ve got access to everything, passkeys or not.
In fact, passkeys may offer additional security because, unlike a password, passkeys generally require authentication, usually as biometrics or a PIN, at the time they’re used. If the thief can’t supply your face, fingerprint, or PIN, the passkeys remain secure.
But the security hygiene you’re already following to secure your password vault secures your passkeys as well.
Personally, I feel 1Password itself and my setup are sufficiently secure. I’m not concerned about this specific threat should my laptop ever be stolen.
Do this
Besides trusting 1Password’s security and my security habits, another reason I feel so comfortable using 1Password to save my passkeys and my passwords is convenience.
Setting up a passkey for each device can feel like a burden, particularly if you have multiple devices.3 Passkeys are more secure than passwords, and the ability to set them up once and have them work everywhere else my password manager works makes passkeys significantly more usable.
I just don’t see a downside.
If you use a password manager (and I hope you do), and that password manager offers to be your repository for passkeys, I suggest you let it.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: Not necessarily using a password, but more often responding to an SMS message or emailed link.
2: This applies equally to the hard disk being stolen from the machine. The database is strongly encrypted and realistically uncrackable given today’s resources.
3: Unsurprisingly, I have multiple devices.
Hi Leo Not sure I agree with all you’ve said in the article, if passkeys are device specific that shoudn’t work. Indeed it doesn’t for me in the following example… My password manager (Strongbox Pro, not sure about others) will only store 1 Passkey per account, so if I create a passkey for an Airline rewards account via a MAC browser login and store it in Strongbox and then create a Passkey for the Airlines IOS App login the Passkey generated is different and overwrites the one stored in Strongbox. The Airline account will not recognise the browser login Passkey if used on the App and similarly the App Passkey is not recognised on a browser login, but the username and password I have for the Airline account works on both browser and App, which to me (struggling to adopt passkeys) raises the question are passkeys device or login method dependent? I can get around the issue above by creating specific entries in Strongbox, 1 for the App and 1 for the browser but then its sort of defeating the issue of multiple passkeys.
I can’t speak to Strongbox, as I’ve never heard of it, but in 1Password, it’s the password vault that is the “device” in which the passkey is stored. If I create a passkey on my laptop, store it in 1Password, then that same single passkey works on my other machines as well.
Leo, How do I tell a website to create a passkey for 1password, and get it stored three? That’s the part I don’t understand. For example, can I set up a passkey for my Google account, and have it stored in 1password, and how to I get that done? Now that you have me curious, if I don’t get a response to this post, I’ll perform an Internet search 🙂
Ernie
You tell the website “yes” when it offers to create one, and when doing so the 1Password “save this?” dialog should come up. Assuming 1Password is installed and signed in.
The concept of synching passkeys is a joke. First, let’s admit that the passkey concept and implementation is an evolving scheme, in a desperate search for a “standard”. Every company (website) does it differently and they all have holes. The original premise of passkey’s “more security” was that the passkey was created on your device and was not susceptible to being stolen from a central database in the cloud. Also, each device would have a different passkey, so if one device was compromised the others would still be safe. When you talk about a synched passkey, you have now created a hack or by-pass into the original concept to address a basic flaw in the original scheme (inconvenience and lockout). The only way to synch a passkey (i.e. create the device’s private key) is to store the private key in a cloud database. This can be done by either by the website (company service) or a cloud password manager. In the cased of the password manager, it acts as a device, so the account passkey is created for and in the password manager and stored in the cloud. But wait! This is exactly how a password is handled: data stored in a cloud database, associated with your account. All the rest of the gobbledygook about encryption, biometrics, etc. is a side issue. After all, passwords are supposed to be encrypted, hashed or whatever also. Regardless, you still need to log into your device first and then into your account. And if you’re not doing biometrics, then with passkeys you still need a password or pin to access your “passkey protected” account. We’ve come full circle.