Summary
GitHub has officially launched its passkeys security feature into general availability, following a two-month beta testing period. Passkeys enable cloud-synced authentication using cryptographic key pairs, allowing users to sign in to websites and apps with their screen-lock PIN, biometrics, or a physical security key. This technology combines the security benefits of passwords and two-factor authentication (2FA) into a single step, simplifying secure access to online services. GitHub’s move aligns with industry efforts, including collaborations between major tech companies like Google, Apple, Microsoft, and the FIDO Alliance, to make passwordless logins a reality across devices, browsers, and operating systems. Passkeys are seen as a significant step in enhancing security in the software supply chain, a vital aspect of the cybersecurity landscape.
There are two types of passkey. Syncable and device-bound. (see https://fidoalliance.org/passkeys/). Theoretically, the device-bound passkeys never leave the device and users don’t have any access to it except to use it for authentication. The syncable type will first and foremost be synced by the platforms themselves (Google, Microsoft, and Apple), but eventually the 3rd-party password managers will be allowed to be sync providers, but possibly only on newly-released OSes.
As far as I know, the passkey implementations currently on Android and Windows are device-bound; they are not synced to the cloud.
Windows currently doesn’t sync, but GMS Android does.