This paper systematically evaluates the security–usability trade-offs of FIDO2 Passkeys across device-bound and synchronized implementations. Method: Grounded in Bonneau’s password replacement framework, we introduce the first structured comparative model stratified by access level, formally defining the security boundaries of synchronized Passkeys. Through threat modeling, security property analysis, and real-world deployment scenario simulation, we identify the inherent risk of synchronization: centralizing security responsibility at the key provider—enhancing cross-device usability while degrading endpoint-level resilience against compromise. Contribution/Results: We propose actionable, stakeholder-specific security configuration guidelines for users, providers, and relying parties. These recommendations provide theoretical foundations and engineering guidance for Passkey standardization and practical deployment, bridging the gap between cryptographic assurance and real-world usability.

With passkeys, the FIDO Alliance introduces the ability to sync FIDO2 credentials across a user's devices through passkey providers. This aims to mitigate user concerns about losing their devices and promotes the shift toward password-less authentication. As a consequence, many major online services have adopted passkeys. However, credential syncing has also created a debate among experts about their security guarantees. In this paper, we categorize the different access levels of passkeys to show how syncing credentials impacts their security and availability. Moreover, we use the established framework from Bonneau et al.'s Quest to Replace Passwords and apply it to different types of device-bound and synced passkeys. By this, we reveal relevant differences, particularly in their usability and security, and show that the security of synced passkeys is mainly concentrated in the passkey provider. We further provide practical recommendations for end users, passkey providers, and relying parties.