How to sync passkeys between devices and not die trying

The passkeys or access keys They are completely changing the way we log in to websites and apps. There's no need to memorize complicated passwords or constantly send SMS codes: simply unlock your phone, use your fingerprint, face, or a PIN, and you're done. And the most interesting thing for everyday use is that these credentials can be sync between devices in a safe way.

If you wonder How to sync passkeys between devicesWhat role do Google, Apple, Microsoft, or password managers play? What happens if you lose your mobile phone? How do browsers like Chrome or services like Amazon, HubSpot, or Microsoft Authenticator behave? Here's a comprehensive guide that brings together all that information, explained in simple terms and with your actual usage in mind.

What exactly are passkeys and why are they replacing passwords?

The passkeys are cryptographic credentials of public and private key These replace traditional passwords. Instead of typing text that someone could steal or guess, your device generates a key pair: a public key that is stored on the service's server (Google, Amazon, your university, etc.) and a private key that remains protected on your mobile phone, computer, or digital keychain.

When you log in with passkeys, the service issues you a challenge, and your device signs that challenge with the private key stored securelyThat key never leaves the device; the server only sees the signature and the already registered public key. That's why they are so difficult to steal, reuse, or exploit in mass attacks.

Unlike classic passwords, passkeys are designed to be multi-device and multi-platformThey rely on the ecosystems of Apple, Google, Microsoft, and on FIDO2 compatible password managers (1Password, Dashlane, Bitwarden, etc.) to be able to synchronize end-to-end encrypted between your devices.

In addition, passkeys act as a all-in-one multi-factor authenticationThey combine something you have (the device or the manager) with something you are or know (biometrics or a PIN for unlocking). Therefore, in many cases, you no longer need to add SMS messages, TOTP codes, or extra second-factor authentication apps, reducing friction and vulnerabilities.

Security and user experience advantages of using passkeys

Passkeys are here to plug almost all the gaps in passwords. From a security standpoint, the difference is enormous: with passwords, a database breach can leave thousands of accounts exposed; with passkeys, there's only one key on the server. public keys with no value in themselves.

Another key aspect is the resistance to phishingBecause the passkey is cryptographically linked to a specific domain, it only works on the legitimate site for which it was created. There is no text field where you can enter your password on a fake website; the browser and operating system verify the domain before using the credential.

The problem of... also disappears. password reuse across multiple servicesEach passkey is unique to a site or application; there's no way to "copy" it and use it elsewhere. This effectively eliminates many chain attacks that exploit the fact that we use the same password everywhere.

In terms of user experience, what you notice in practice is that logins become faster and lighterInstead of remembering and typing a long text, you simply choose "Log in with passkey" and authenticate with your fingerprint, face, or PIN. You also don't have to change passwords periodically or juggle them to make them "secure."

Finally, passkey authentication usually works even without a local internet connection: The cryptographic process is done on your device.You only need an internet connection to communicate with the service server, create new passwords, or synchronize them across different devices via the cloud.

How Google syncs passkeys between Android, Chrome, and other systems

In the Google ecosystem, passkeys rely primarily on the Google password manager (Google Password Manager, GPM). In AndroidIn Chrome and increasingly in other systems, this manager is responsible for storing and synchronizing your access keys in end-to-end encrypted form with your Google Account.

Until relatively recently, things were more fragmented: in Chrome for macOS, passkeys were saved by default in the ICloud Keychain and, optionally, locally in the Chrome profile; on Android, in the Google Password Manager and only between Android devices; and in WindowsThey used to end up in Windows Hello or in storage .

With the latest changes, Chrome with a login profile on macOS, Windows, Linux or ChromeOS (in beta) can Create passkeys directly in Google Password ManagerSave them there and use them to authenticate. Any Chrome browser using that same Google profile on another machine will be able to sync those passkeys and use them as if they were created locally.

To protect access between devices, Google introduces a Specific PIN for Google Password ManagerThis PIN, or your unlocking method On Android, it acts as a recovery factor: when you start using passkeys on a new device, you will have to enter that PIN or use your mobile's biometric unlock to download and use the keys saved in your account.

In practice, this means that if you have passkeys configured on Android, you will be able to Use them on your computer with Chrome. (Windows, macOS, Linux, ChromeOS) as long as you sign in with the same Google Account and confirm with your PIN or mobile unlock. All of this is done without Google being able to read your passkeys, as they are end-to-end encrypted.

Synchronizing passkeys across Apple, Microsoft, and password managers

At Apple, passkeys are stored and synchronized using the ICloud Keychain. If you have a iPhone, iPad or with a Mac Under the same Apple ID, the passkeys you create on any of them will automatically appear on the others, as long as Keychain syncing is active.

This synchronization allows you, for example, to create a passkey from Safari on your Mac, and then later... Log in from the service's mobile app on your iPhone using Face ID or Touch ID. In addition, Apple uses hardware secure (like Secure Enclave) to keep private keys protected on each device.

For Microsoft, the ecosystem revolves around Windows Hello and Microsoft AuthenticatorWindows 10 and Windows 11 They integrate passkeys into Edge, Chrome, and other compatible browsers, using facial recognition, fingerprint, or PIN. These credentials can be synced through your Microsoft account or strictly linked to the device, depending on the browser.

A particular case is that of the “passkeys linked to the device“In Microsoft Authenticator, like the ones UCLM is using: these passkeys don't sync to the cloud and are kept only on the mobile device where they were created. This adds security (there's no cloud backup), but it requires you to always have them on hand.” alternative recovery methods (for example, Cl@ve or temporary codes) in case of losing the device.

In addition to the large ecosystems, many third-party password managers such as 1Password, Dashlane or Bitwarden They already support passkeys. In those cases, they act as a separate, syncable keychain: you create a passkey once in the manager and you can use it on any device where you have access to that manager, regardless of whether it's Android. iOSWindows, Linux or macOS.

How to configure passkeys by operating system and browser

For synchronization to work properly, the first step is to have the environment ready on each platform. On Apple devices (iOS, iPadOS, macOS) you need recent versions of the systemTypically, iOS 16 or iPadOS 16 or later, and iCloud Keychain is enabled. It's also a good idea to check that Safari and the rest of apps Use the system's password and passkey autofill feature.

On Android, the basic requirement is to have Android 9 or higher with updated Google Play ServicesHowever, many more advanced implementations (such as some from Authenticator) require Android 14. You must have a secure screen lock set up (PIN, pattern, password, or biometrics) and "Autofill with Google" enabled, which is where Google's Password Manager resides.

On Windows, you need Windows 10 (version 1903 or later) or Windows 11, along with a compatible browser (Chrome, Edge, Firefox in modern versions). Everything is based on that. Windows Hello as a local authenticatorOnce configured, the browser can register and use passkeys associated with your Microsoft account or, depending on the service, store them also in your preferred manager.

Once the system is ready, the process is usually repeated almost everywhere: you visit a compatible site (Google, Amazon, GitHub, HubSpot, Soyio, your university's services, etc.), go to the security or registration section, and choose “Create passkey” or “Add authentication method” Then you follow the instructions. The device will ask for Face ID, Touch ID, Windows Hello, PIN, or whatever is appropriate, and that's it, the passkey is registered.

From that moment on, every time you return to the site you will see an option like “Log in with passkey" or "Use password". You enter your email or username (if prompted), the browser queries your system or your password manager and you only need to approve with your biometric method or PIN.

Real-world examples: Google, Amazon, HubSpot, Soyio, and university environments

Google is heavily promoting passkeys in its own services. You can configure them in your account security settings. create passkeys associated with different devices (Android mobile, laptop, etc.) and see the list of devices where they are active, with information on their last use. All of this is synchronized through your Google Account and Password Manager.

Amazon has also incorporated passkeys for accessing user accounts. From the "Login and Security" section, you can access the passkeys section, click "Set Up," and from there, Create one or more passkeys on your trusted devicesThe subsequent login consists of choosing "Log in with a Passkey" and authenticating with biometrics or PIN, with the option to maintain two-step verification as an additional layer.

In the business sector, platforms like HubSpot have integrated passkeys to facilitate a passwordless login Both on desktop and in its mobile apps. From your account security settings, you can generate a personal access key which, depending on your device, will be saved in the system keychain or your compatible password manager.

Identity services like Soyio have gone a step further and integrate passkeys within workflows for identity verification, consent, and document signatureDuring the registration process, the user can register a passkey linked to a verified identity, and then use it to authenticate sensitive transactions, sign documents, or manage consents.

In university settings, such as at UCLM, Microsoft Authenticator is used to configure "passkeys" associated with the institutional account. These passkeys are stored locally on the mobile device and are not synchronized to the cloud, so Each device has its own keyIf you lose a phone, you can use the Cl@ve system or other methods to generate temporary codes and set up a new passcode on another device.

What happens if you lose a device with passkeys

Losing your phone or laptop is always scary, but the way passkeys are designed makes the situation less dramatic than it seems. In most modern ecosystems, passkeys are They synchronize in the platform's cloud. (iCloud Keychain, Google Account, Microsoft account or third-party password manager), so that the same keys remain available on your other devices.

For example, if you lose an iPhone but have an iPad or a Mac with the same Apple ID, your passkeys will still be there; the same applies if you had passkeys synced with your Google account and you still have another Android device or a computer with Chrome where you're still logged into that account. In these cases, losing a device doesn't mean losing access to your accounts.

However, it is essential that the cloud account or manager where the passkeys are synchronized is protected with a strong password and two-factor authentication (2FA)Otherwise, if an attacker manages to gain access to that master account, they could try to use your passkeys from other devices.

If you find yourself in the worst-case scenario and lose all your devices, each ecosystem offers its own recovery options: recovery keys, strong verification processes, specialized technical support, etc. It's wise to know in advance what recovery procedures each provider (Apple, Google, Microsoft, your password manager) offers and keep their contact and recovery methods up to date.

In environments where passkeys don't sync (such as device-bound passkeys in Microsoft Authenticator), you need to be more proactive: configure the key on multiple devices when possible and keep alternative access methods (temporary codes, systems such as Cl@ve, recovery email) updated and available.

Best practices for synchronizing and protecting your passkeys

For device synchronization to work well and not become a weak point, it's important to take care of a few basic aspects. The first is to make sure that Make sure all your devices and apps are up to dateMany security improvements and passkey compatibility features arrive via operating system, browser, or password manager updates.

It's also worth configuring passkeys in more than one trusted deviceFor example, on your everyday mobile phone and your laptop, or on your mobile phone and your tablet. This way, if one of them fails or breaks, you'll still have another direct way to log in and create new passkeys or revoke old ones.

Another good habit is to occasionally check the security section of your important accounts (Google, Apple, Amazon, Microsoft, HubSpot, etc.) to Remove passkeys associated with devices you no longer useThis reduces the attack surface and allows you to have clearer control over which credentials are still active.

If you rely on third-party password managers for your passkeys, check that you have the Secure synchronization between devices, including 2FA, strong master keys and, where possible, recovery options that do not weaken protection (avoid, for example, recovering a critical account with just a simple SMS).

Finally, don't forget to keep your traditional recovery methods up to date: alternate emails, recovery phone numbers, backup codes, and any other options offered by your provider. Even though passkeys are very secure, Account recovery remains a critical issue and deserves some periodic attention.

With all this gears in place—updated ecosystems, securely synced passkeys, multiple trusted devices, and robust recovery methods—you'll get the most out of passkeys: much faster and more convenient logins, a huge improvement in phishing security, and the peace of mind of knowing that even if a device is lost or broken, Your digital identity doesn't end up in the air.