As more organizations move toward passwordless authentication, many face a critical question: how can we prevent passkeys from being shared across personal or unmanaged devices? This concern is especially relevant for enterprises securing workforce access, where passkey portability could introduce compliance risks or unauthorized access.
Secfense addresses this challenge directly with Mobile-Bound Passkeys. This approach ensures that each credential is cryptographically bound to a single device and cannot be exported or reused elsewhere.
What Is a Mobile-Bound Passkey?
A mobile-bound passkey is a FIDO credential that is created and stored within a Trusted Execution Environment (TEE) on the user’s mobile device. Unlike syncable passkeys which can be backed up or transferred across platforms Secfense’s Mobile-Bound Passkeys are locked to a specific hardware component. This prevents unauthorized duplication or use on secondary devices.
What Security Guarantees Does Secfense Provide?
Secfense Mobile-Bound Passkeys provide four key assurances:
- Private key is generated within a secure environment.
On Android, this uses the hardware-backed keystore; on iOS, it uses the Secure Enclave. The Trusted Execution Environment ensures that private key material is isolated from the main operating system. - Private key never leaves the device.
The key is non-exportable by design. It cannot be backed up, copied, or migrated—even by the end user. - Device authenticity is verified.
During registration, the device undergoes verification using WebAuthn attestation, which confirms that the key originates from genuine, trusted hardware. - Credential integrity is tied to the Secfense Authenticator app.
Beyond standard WebAuthn attestation, Secfense adds a layer of application-level integrity verification. This is achieved using platform-specific APIs:
– Play Integrity API on Android
– App Attest on iOS
These APIs confirm that the credential originates from a legitimate, untampered version of the Secfense Authenticator app installed on a genuine device. A signed component of the WebAuthn registration flow is transmitted out-of-band and validated server-side before the credential is trusted.
These security controls are enforced during the credential creation ceremony and validated server-side, ensuring a consistent and verifiable trust model.
How Does WebAuthn Attestation Support This?
Secfense explicitly requests attestation during the WebAuthn credential registration process. Depending on the device:
- On Android, we request the android-key format.
- On iOS, we request the apple attestation format.
The attestation object is embedded in the WebAuthn response and includes device and key metadata. This data is validated by Secfense backend systems to ensure the key was generated on a verified device using supported secure hardware.
Why This Matters for Enterprises
For organizations adopting passkeys for workforce authentication, it is critical to:
- Prevent credentials from being reused on unmanaged devices.
- Maintain control over identity assurance levels.
- Ensure that only verified, compliant devices are used for access.
Secfense enables this with minimal impact on existing infrastructure, though verifying credential integrity relies on integration with the Secfense Authenticator app and platform-specific attestation APIs. Mobile-Bound Passkeys from Secfense integrate seamlessly into existing identity flows while providing strong assurance and full policy enforcement.
Want to Learn More?
We’re happy to share more implementation details under NDA.
→ Contact a Secfense expert to discuss mobile-bound passkeys
→ Watch how BNP Paribas Bank rolled out passkeys at scale in just 3 months
