Non Syncable Passkey

169 views
Skip to first unread message

Sabarinathan Eaganathan

unread,
Jun 26, 2024, 11:43:51 AMJun 26
to FIDO Dev (fido-dev)
Hi team. How can i have passkey without sync?. Now a days passkeys are getting synced with google account or apple id which not suitable for organization cases where they might need to authenticate some severe portal with passkeys where they can't rely on passkeys sync over google or apple. In that case if passkey created on mobile devices just relied on the same device alone without sync which is perfect for their case.

Any option available for stop passkeys getting sync over devices through google or apple?

Regards,
Sabarinathan.e
FIDO Authentication user.

Tim Cappalli

unread,
Jun 26, 2024, 11:49:13 AMJun 26
to Sabarinathan Eaganathan, FIDO Dev (fido-dev)
For workforce use cases, your workforce IdP can likely provide with you with solutions in this space. 

For consumer scenarios, synced passkeys are what's offered on most devices, as it's what's best for users at scale.

If synced passkeys don't meet your requirements (for some reason), you can always take some other action after the user signs in with one, but you should never reject it. 

Tim


--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/493eec24-5229-4258-a99f-7ead74c75f03n%40fidoalliance.org.

Chad Spensky

unread,
Jun 26, 2024, 3:55:55 PMJun 26
to Tim Cappalli, Sabarinathan Eaganathan, FIDO Dev (fido-dev)
Hi Sabarinathan,

  You can use a different passkey provider that does not sync keys for enterprise environments.  For example, our app at Allthenticate uses device-bound keys and is specifically designed for workforce.  Happy to chat more if you're interested.

 Best,
  Chad

Sabarinathan Eaganathan

unread,
Jun 27, 2024, 3:05:52 AMJun 27
to FIDO Dev (fido-dev), Chad Spensky, Sabarinathan Eaganathan, FIDO Dev (fido-dev), Tim Cappalli

If passkeys become a universal form of multi-factor authentication, organizations should indeed have the option to choose between sync-enabled passkeys and non-sync-enabled passkeys. This flexibility would allow organizations to align their security policies with their specific needs and risk profiles.

Additionally, in the general case, browsers should prompt users for consent before syncing passkeys across devices via cloud services like Google or Apple. This ensures that users are fully aware of where their credentials are stored and can make informed decisions about their security and privacy.

Regards,
Sabarinathan.
FIDO Server developer.

Tim Cappalli

unread,
Jun 27, 2024, 6:20:59 AMJun 27
to Sabarinathan Eaganathan, FIDO Dev (fido-dev), Chad Spensky
As I mentioned, workforce scenarios already have many options to address this. 

And you can always decide to perform additional actions based on your sign in session context and your risk profile after the user signs in with a synced passkeys. 

Tim
Reply all
Reply to author
Forward
0 new messages