What is FIDO2?
FIDO2 is an open authentication standard from the FIDO Alliance and W3C that enables passwordless authentication using public key cryptography. The standard includes WebAuthn (handles website-to-authenticator communication) and CTAP (manages device-to-authenticator connections).
Both hardware security keys and passkeys implement FIDO2. The confusion arises because FIDO2 supports multiple credential types with different storage and portability characteristics.
What are passkeys?
Passkeys are FIDO2 credentials that sync across devices through cloud ecosystems like iCloud Keychain, Google Password Manager, or password managers like 1Password. Your device generates a cryptographic key pair; the private key stays encrypted on your device or syncs securely, while the public key goes to the service.
Passkeys are discoverable credentials (also called resident credentials) used for passwordless login. You authenticate with biometrics like Face ID or Touch ID, or a device PIN.
How do hardware keys and passkeys differ?
Hardware security keys store credentials on a physical device you must carry and physically present to authenticate, while passkeys store credentials on your device or in the cloud and sync across your ecosystem for seamless access.
The key difference is portability: hardware keys require physical possession, while passkeys follow you across devices automatically.
Hardware security keys
Store credentials on a physical device (e.g., YubiKey)
Private key never leaves the hardware
Require physical possession to authenticate
Need to carry the key or register multiple keys per service
Maximize security through physical isolation
Synced passkeys
Store credentials on your device with cross-device sync
Private key encrypted during sync, never exposed in plaintext
Accessible on all devices in your ecosystem (e.g., iPhone, iPad, Mac)
Reduce lockout risk if you lose a device
Credentials exist in multiple locations
Software-bound passkeys
Live in password manager vaults (e.g., 1Password)
Work like synced passkeys but aren't platform-specific
Provide cross-platform flexibility
When should you use hardware security keys?
Hardware security keys excel when physical security and regulatory compliance are priorities.
Best for:
High-risk roles (IT admins, executives, privileged users)
Regulated industries requiring NIST AAL3 compliance
Finance, healthcare, and government organizations
Shared or unmanaged devices (kiosks, public computers)
Scenarios where credentials cannot be remotely compromised
When should you use passkeys?
Passkeys work best for everyday authentication where convenience matters most.
Best for:
Consumer applications across phones, tablets, and computers
Remote workers using managed devices in one ecosystem
Organizations deploying passwordless authentication at scale
Scenarios requiring less user training
Eliminating physical hardware distribution logistics
1Kosmos 1Key: FIDO2 for shared workforce environments
While hardware security keys and synced passkeys address many authentication needs, frontline workers who share devices across shifts require a different FIDO2 approach.
What is 1Kosmos 1Key?
1Kosmos 1Key is a FIDO2 and CTAP2-certified biometric authenticator purpose-built for shared workstations. Stateless touch and fingerprint readers remain bolted on at terminals, nixing the need for workers to carry individual tokens.
How does 1Key work?
1Key captures and hashes biometric data directly on the hardware, and raw fingerprints never leave the device.
During authentication, the system performs FIDO2-compliant verification with integrated biometric matching, generating cryptographic proof using a private key.
Each credential is then bound to a verified human identity through government document verification during enrollment.
When should you use 1Key?
1Key is purpose-built for deskless workers on secure floors who authenticate through shared kiosks, tablets, and Zebra scanners rather than personal mobile devices.
Best for:
Environments where mobile phones are restricted
Workers who rotate across multiple shared stations
Organizations needing hardware-based security without per-employee token costs
Healthcare facilities with shared terminal access
Ready to implement enterprise-grade passwordless authentication?
See how 1Kosmos Workforce delivers verified identity and FIDO2 security for organizations with complex authentication requirements.
—
FAQs
What is the difference between FIDO2 keys such as Yubico and passkeys?
FIDO2 keys like YubiKey are physical hardware devices that store credentials on the device itself, requiring you to carry and insert or tap the key to authenticate. Passkeys are software-based FIDO2 credentials stored on your phone, computer, or password manager that sync across devices through cloud services. Both use the same FIDO2 standard and provide phishing-resistant authentication, but hardware keys offer device-bound security while passkeys prioritize convenience and cross-device accessibility.
Can I use a passkey stored in 1Password as a security key?
Yes. Password managers that support FIDO2 can store passkeys that work anywhere a hardware security key is accepted. The underlying technology is the same, but the credential is stored in your password vault rather than on a physical device.
Why do some services call them "security keys" and others "passkeys"?
The terminology reflects how the credential is being used. "Security key" typically refers to a second factor for two-factor authentication, while "passkey" usually means a passwordless login that replaces your password entirely. Both can use the same FIDO2 technology.
Are hardware security keys more secure than synced passkeys?
Hardware keys provide stronger guarantees against remote attacks because credentials never leave the physical device. Synced passkeys are still highly secure and phishing-resistant, but they exist in multiple locations, which slightly expands the attack surface. The practical security difference depends on your threat model and operational requirements.
Can I use both hardware keys and passkeys together?
Absolutely. Many organizations use hardware keys for high-risk roles and administrative access while deploying passkeys for general workforce authentication. Registering both types as backup methods also protects against device loss and ensures you can always access your accounts.
Enter our orbit.
