Today is World Passkey Day. And while the industry celebrates the shift away from passwords, the more important question is what kind of passkey replaces them. Many organizations recognize that passwords are on the way out, with passkeys emerging as a replacement. What’s less widely understood is that the two main types of passkeys—synced and hardware-bound—serve very different use cases and carry distinct risk profiles. While both improve security and usability compared to passwords, one offers much greater protection.
In a Payments Journal Podcast, Adam Lowe, Chief Product and Innovation Officer at CompoSecure and Arculus, and Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, broke down how these approaches differ in practice. They explored how keys behave when stored in software versus hardware, and why those distinctions are especially important in payment authentication.
What Is a Passkey?
A passkey is a cryptographic credential that allows a user to authenticate their identity with an application or service without a password. Many consumers encounter passkeys through mobile devices or platforms like Microsoft, often using biometrics such as fingerprints or facial recognition to log in.
In most of these cases, the underlying credentials are software-based and synced through the cloud. This approach is very convenient: a single passkey can work seamlessly across multiple devices. However, that convenience introduces risk. If a user’s cloud account is breached, the bad actor may gain access to synced credentials, creating a significant security concern.
Synced passkeys also face additional challenges. For example, while modern implementations are designed to resist replay attacks, improperly implemented systems or surrounding infrastructure can still be vulnerable if intercepted authentication data is reused to trick a system into granting access.
“The more we have out there that’s living in the cloud, it’s just more readily accessible to cybercriminals,” said Goldberg. “The more that we can do in a physical environment—in addition to what we’re doing in a digital space—just enhances the security.”
As Goldberg noted, hardware-bound passkeys are generated, stored, and managed on a local device, like a smart card or USB. These are widely used in high-security environments, including U.S. government and intelligence settings, and are generally considered best-in-class for strong authentication.
“Software passkeys are great for that first layer, but we really need that depth of defense,” said Lowe. “Adding hardware local passkeys provides that next layer of defense for users.”
A common misstep that organizations make is adopting hardware passkeys without fully modernizing their underlying systems. Often, this is done to avoid disrupting user workflows. While hardware passkeys can add a strong layer of protection, their benefits are limited if they are simply layered on top of legacy infrastructure rather than integrated into a modern authentication architecture.
“When you sign, you’re getting a digital signature from the key, but you’re also attesting,” said Lowe. “There’s a certificate on hardware that proves it’s a valid hardware signer. While that food chain lives in the cloud, it can be manipulated. So another value to the hardware is not only am I signing, I am signing from a valid piece of hardware in a very straightforward way.”
Non-Portability Is the Key
With hardware-bound passkeys, credentials are generated and stored within a secure element on the device. A secure element is a specialized chip designed to create and protect cryptographic keys—similar to those used in passports or payment cards.
The defining characteristic here is non-portability. The private key never leaves the device. This is analogous to keeping a physical house key in your pocket: access requires possession. Because the key can’t be exported, duplicated, or remotely accessed, the attack surface is dramatically reduced.
“We’re not saying that software passkeys go away,” said Goldberg. “It’s just an additional layer, a step-up authentication. It’s going to take a little bit more friction to authenticate and verify certain types of transactions or even certain types of individuals.”
Read Privileges vs. Write Privileges
So when are software passkeys good enough, and when is hardware-backed authentication necessary? One useful way to frame the distinction is through read versus write privileges.
Read privileges—access to view data—generally carry lower risk, since no changes can be made. In these scenarios, software-based passkeys may provide an acceptable balance of security and convenience. Write privileges, on the other hand, allow users to take actions that alter systems or move value, such as initiating payments. These higher-risk operations are where hardware-backed authentication becomes far more important.
“That’s where we typically see that software to hardware migration, for stepping up an event,” Lowe said. “A very typical example would be sending a wire, sending any reasonable amount of money. Any time you get a risk flag, you can have the user tap into a step-up event.”
The Tipping Point
The shift to hardware-bound passkeys could have occurred years ago, but widespread adoption likely depends on a tipping point—one that convinces organizations the added security justifies the change.
“That tipping point is going to be a combination of increased cybersecurity risk, such as network infiltration that leads to data breaches,” said Goldberg. “It’s going to be upticks in fraud and increased risk to identity.”
Many experts expect that payment flows, in particular, will increasingly require hardware-based authentication, given the high value and sensitivity involved.
“If you do hardware-based authentication on a payment card, it shows possession of the physical card, which also answers so many fraud questions,” Lowe said.
“We’ll get to the tipping point where consumers are concerned about their identities being compromised, and governments have more concern about verifying the authenticity of individuals, agents, and companies,” he said. “The whole notion of getting away from software-based authentication to having this additional layer of hardware will just become second nature.”
The post The Passkey You Can’t Steal: Why Hardware Beats Software for High-Stakes Authentication appeared first on PaymentsJournal.
