Single device vs multi device credentials

Learn about different types of passkeys

There are two different types of passkeys: single device, and multi device. While both passkey types offer phishing resistant forms of authentication, there are some inherent differences that should be understood.

Single device passkeys

Single device credentials (SDC) are passkeys that are bound to a single device, meaning that a credential can only be validated using the device that it was created on. SDC’s have been the standard way that WebAuthn credentials were utilized.

SDC’s will continue to be a part of the WebAuthn conversation as they offer a high assurance that the credential on a device won’t be copied and exported to exploit a user’s account.

SDC’s often come in the form of a hardware authenticator like a security key. Because the authenticator is not embedded in another device, like a phone, it can be freely inserted and removed from different devices, making it ideal for environments with shared workstations, and account recovery flows.

Multi device passkeys

Multi device passkeys (MDC) are credentials that can be moved and synced between devices. This means that if a user has multiple devices, they can use the built in authenticator to validate a credential regardless if they are using the device that was used to create the credential.

This offers a higher degree of usability as users will be able to utilize any of their devices to authenticate into services without having to individually enroll each one. MDC’s may also be shared between different users; for example you can AirDrop your passkey to another person in the case of shared accounts.

MDC’s are commonly embedded into other devices like a mobile phone, or laptop. Platforms that will support MDC are Windows Hello, Apple Face/Touch ID, and Android Biometrics. Please refer to this Device Support Matrix to see if your operating system and devices currently support MDC’s.