macOS

Overview #

The platform authenticator in macOS Ventura (13) has the following capabilities:

• creating and using passkeys that are backed up to iCloud Keychain
• creating and using passkeys on/from another device, such as:
  • an iPhone or iPad signed in to a different iCloud account, using FIDO Cross-Device Authentication
  • an Android device, using FIDO Cross-Device Authentication
  • a FIDO2 security key¹

¹ On macOS, user verification methods (device PIN, biometric, etc) must already be configured on the security key prior to credential creation

Platform Notes #

Cross-Device Authentication #

macOS does not currently support persistent linking of external authenticators for Cross-Device Authentication at the operating system level.

Persistent linking is available between Android devices (authenticator) and Chrome and Edge (clients) on macOS.

When an authenticator is not persistently linked, a QR code must be scanned on every use.

Legacy Credentials #

WebAuthn credentials created using the platform authenticator in macOS Monterey (12) and earlier will not be converted to passkeys but will remain available for the lifetime of the device.

To replace a legacy platform credential with a passkey, start a credential registration ceremony and pass the same user handle (user.id) in the request. macOS will overwrite the legacy credential with a new passkey that will be backed up to iCloud Keychain.

Browser Behavior #

Edge: credentials created by Edge are currently device-bound passkeys, are not backed up to iCloud Keychain, and are not available outside of Edge.

Firefox: passkeys are not currently supported in Firefox on macOS. Device-bound passkeys on a FIDO2 security key are supported.

Resources #

• Apple landing page for passkeys
• About the security of passkeys
• Supporting passkeys
• Supporting device-bound passkeys on security keys
• Sample Code