Passkeys: Glossary of Common Terms

Below are definitions for common terms related to passkeys, security keys, and other forms of multi-factor authentication.

A general word for the information or device you use to prove it’s you when signing in. In this document, it usually means a passkey (a way to sign in without a password). Some security keys can store different kinds of credentials, which matters for things like factory reset.

The setup step where you connect a person, an authenticator (like a security key or a built-in phone/computer feature), and the sign-in service so the person can use that authenticator to sign in.

Resetting a security key back to how it was when you first got it. This removes everything stored on it (including passkeys), so you’ll need to create and set up new credentials again.

FIDO Alliance, an industry group that creates and promotes secure sign-in standards (including passkeys).

A small physical device that shows a temporary login code. You enter this code when signing in. These devices are different from security keys and are less secure, because the code can be sent to a fake website. Example: DUO D100 hardware token.

An extra layer of sign-in protection that requires two or more checks to prove it’s you—for example, something you know (a password or PIN), something you have (a phone or security key), or something you are (a fingerprint or face scan).

A passkey is a modern sign-in method based on FIDO standards that lets you sign in without typing a password. Passkeys can differ in a couple of important ways:

Built-in authenticator vs. separate (portable) authenticator (WebAuthN terminology)

• Portable (roaming) authenticator: Something you can use with more than one device because it isn’t tied to a single computer or phone. Example: YubiKey.
• Built-in (platform) authenticator: A sign-in feature that’s built into a device you already use. Examples: Windows Hello, Touch ID.

Synced vs. tied to one device (device-bound)

• Synced passkey: A passkey that can be shared across your devices (for example through your phone’s or browser’s account), or used with a nearby device (like using your phone to sign in on your laptop). This can be convenient, but it also changes the security risks to consider.
• Device-bound passkey: A passkey that stays on one specific device and can’t be moved or synced to others.

A scam where someone tries to trick you into giving up sensitive information (like sign-in details) using fake emails, texts, or websites.

Multi-factor authentication (MFA) that’s designed to keep working even if someone tries to trick you with a fake website or message. It helps protect against common phishing tactics like look-alike websites and “attacker-in-the-middle” attacks.

In practice, organizations often treat FIDO/WebAuthn-based sign-in (like passkeys or security keys) and certificate-based sign-in (PKI) as the main examples of phishing-resistant MFA.

A code (numbers and sometimes letters) you set on some passkeys—especially on security keys. You may need to enter it to use the passkey. If the wrong PIN is entered too many times, the key may lock or erase what it’s protecting. That can force a factory reset, which removes stored credentials and means you must set things up again.

• PIN setting: If your device doesn’t already have a PIN, you can usually create one when needed. If a PIN is already set, you typically need to know the current PIN to change it.
• PIN prompting: When you’re asked to enter your PIN to confirm it’s you and unlock the credential.

A small physical device (like a USB key) used to sign in. It acts as an authenticator and often stores device-bound passkeys.

Tricking someone into sharing sensitive information or giving access they shouldn’t—often by pretending to be a trusted person or organization.

A check that you’re physically there with the device being used to sign in—for example, by touching a security key or pressing a button.

An extra check to confirm it’s really you before a credential can be used—such as entering a PIN (something you know) or using a fingerprint/face scan (something you are).

A popular brand of security key. Depending on the model, it can store different kinds of credentials. In the passkey context, it’s typically a portable (roaming) device that holds device-bound passkeys.