Some concerns are frequently raised about passkeys. In practice, many are either manageable or apply equally to traditional approaches. Here are our answers to some of the most common questions:
“What about synchronisation?”
Passkeys can synchronise across devices using platform services. This is sometimes presented as a novel risk, but most people already rely on similar cloud‑based synchronisation for password managers, email and some authenticator apps. The key control is the strength of the authentication protecting the sync account – a requirement that already exists in many MFA deployments.
“Are passkeys really multi‑factor?”
Yes. Where user verification is performed (typically by however the user normally logs into their device), FIDO2 credentials combine something the user has (the cryptographic key) with something they are or know. Multiple factors do not need to be on multiple, separate devices, and many traditional MFA implementations already deliver all factors through a single phone.
“Isn’t traditional MFA good enough if done properly?”
Traditional MFA can be effective, but it remains fundamentally vulnerable to phishing because secrets or approvals can be observed and relayed during a live session. Passkeys remove this class of attack entirely by cryptographically binding authentication to the legitimate service.
