Are my passkeys compromised if my Password Manager is compromised?

Some passkeys, like those used by Windows Hello, are device-bound because they rely on hardware-based security, such as a Trusted Platform Module (TPM) or Secure Enclave. These passkeys cannot be transferred or used on another device since the private key never leaves the original hardware. For all practical purposes, device bound passkeys cannot be stolen remotely.

To support cross-device authentication, services like Keeper, iCloud Keychain, and Google Password Manager store private keys in encrypted cloud storage. This allows passkeys to sync across devices linked to the same account.

However, if the Password Manager itself were compromised, the security of your passkeys would depend on whether an external party is able to access your vault:

• If an attacker obtains or guesses your master password, they could decrypt your vault and access your passkeys. Using a strong, unique master password and multi-factor authentication (MFA) greatly reduces this risk.
  • While biometrics (e.g., fingerprint or facial recognition) provide a convenient way to unlock your vault, they do not replace the master password. If an attacker breaches the Password Manager's servers, your vault remains encrypted unless your master password is also compromised.