Passkeys have developed as a safer login method compared with passwords for many reasons. (Understanding Passkeys will give you a brief overview.) Passkeys also come in different flavors.

Synced Passkeys

A "synced" passkey can be backed up and stored in cloud services like iCloud, Google, password managers, etc. Many online services have adopted this style of passkey for various reasons. While still secure, research from 2025 exposed vulnerabilities in synced passkeys with regard to interpersonal relationships.

Device-Bound Passkeys

A "device-bound" passkey stores the private key in the hardware itself (a device's built-in Hardware Security Module for example), and it cannot be backed up to a cloud service. It stays protected from cloud-based social engineering problems found in synced passkeys.

Secure Connect passkeys are device-bound, so the private key can't be copied, cloned, or otherwise stolen from your device.

Nothing Protects a Shared Device

Any passkey is vulnerable when a device is shared between more than one person, and when biometrics are registered to more than one person on that device (for example, if your child can use their fingerprint to open your phone to play a game). This basically mimics sharing your password to an account. 

Please refer to University Policy 5.10, Information Security, and University Policy 5.8
Authentication to Information Technology Resource, regarding your responsibilities for data security.

Passkeys Remain the Gold Standard of Security

It's important to remember that passkeys significantly reduce or eliminate remote attacks such as phishing, credential stuffing, and push fatigue attacks, which are the majority of account compromise and abuse methods.