Today is World Passkey Day: An Examination of Current Market Directions

Today marks World Passkey Day, celebrating the shift away from passwords. While many organizations recognize that passkeys are emerging as a secure replacement, the two main types—synced and hardware-bound—serve different use cases with distinct risk profiles.

In an episode of the Payments Journal Podcast, Adam Lowe, Chief Product and Innovation Officer at CompoSecure and Arculus, and Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, discussed these approaches. They delved into how keys behave in software versus hardware storage and highlighted the importance of these distinctions in payment authentication.

What Is a Passkey?

A passkey is a cryptographic credential enabling user authentication with an application or service without relying on passwords. Consumers often encounter them through mobile devices or platforms like Microsoft, using biometrics for login.

Most of these cases involve software-based credentials synced through the cloud, offering convenience across multiple devices but introducing significant security risks if a user’s cloud account is breached.

Synced passkeys face additional challenges. Even with modern systems designed to resist replay attacks, improperly implemented infrastructure can leave authentication data vulnerable.

“The more out there living in the cloud,” Goldberg noted, “the more accessible it is to cybercriminals.” She emphasized the need for physical environment security alongside digital solutions.

Hardware-bound passkeys generate, store, and manage credentials on a local device like a smart card or USB. These are highly secure in high-security environments such as U.S. government and intelligence settings.

“Software passkeys work well for the first layer,” Lowe stated. “But we need depth of defense. Adding hardware provides an additional layer, enhancing security.”

Organizations often adopt hardware passkeys without modernizing underlying systems, leading to limited benefits if they are layered on legacy infrastructure.

“When you sign, you get a digital signature from the key,” Lowe explained. “A certificate proves it’s a valid hardware signer. While this lives in the cloud, manipulation is possible. Hardware ensures the signing process is straightforward and secure.”

Non-Portability Is Key

In hardware-bound passkeys, credentials are generated and stored within a secure element on the device—a specialized chip similar to those used in passports or payment cards.

The defining characteristic is non-portability. Private keys never leave the device, making them highly secure like physical house keys requiring possession for access.

“We’re not saying software passkeys go away,” Goldberg said. “It’s an additional layer of authentication, a step-up process that requires more friction for certain transactions or individuals.”

Read Privileges vs. Write Privileges

Distinctions between software and hardware passkeys can be framed through read versus write privileges.

Read privileges allow data access without risk of changes, making software-based passkeys acceptable for security and convenience. Write privileges enable actions altering systems or moving value, requiring higher-risk operations to employ hardware-backed authentication.

“That’s where we see the software-to-hardware migration,” Lowe said. “A common example is sending a wire or any reasonable amount of money; tapping into step-up events adds security.”

The Tipping Point

The shift to hardware-bound passkeys may have happened sooner, but widespread adoption likely depends on overcoming barriers. This tipping point involves increased cybersecurity risks and upticks in fraud.

Experts predict that payment flows will increasingly require hardware-based authentication due to their high value and sensitivity.

“Hardware-based authentication on a payment card proves possession of the physical card, answering many fraud questions,” Lowe said.

“We’ll reach the tipping point where consumers are concerned about identity compromise, and governments verify individual authenticity,” he concluded. “Moving away from software to hardware authentication will just become second nature.”