macOS
Resources for passkeys in Apple macOS
Local Authenticator
External Authenticator
The platform authenticator in macOS Ventura (13) has the following capabilities:
1 On macOS, user verification methods (device PIN, biometric, etc) must already be configured on the security key prior to credential creation
macOS does not currently support persistent linking of external authenticators for Cross-Device Authentication at the operating system level.
Persistent linking is available between Android devices (authenticator) and Chrome and Edge (clients) on macOS.
When an authenticator is not persistently linked, a QR code must be scanned on every use.
WebAuthn credentials created using the platform authenticator in macOS Monterey (12) and earlier will not be converted to passkeys but will remain available for the lifetime of the device.
To replace a legacy platform credential with a passkey, start a credential registration ceremony and pass the same user handle (user.id) in the request. macOS will overwrite the legacy credential with a new passkey that will be backed up to iCloud Keychain.
Edge: credentials created by Edge are currently device-bound passkeys, are not backed up to iCloud Keychain, and are not available outside of Edge.
WKWebView is the embedded WebView (EWV) on macOS. Embedded WebViews allow the calling app full control over the embedded web session, including modifying and intercepting requests, so many web platform features are limited in these contexts.
WKWebView docs @ Apple DeveloperNOTE:
Embedded WebViews run in the context of the calling app, meaning only passkeys for the linked web domain (RP ID) can be created or used for sign in.
Said differently, only use EWV when sign in is handled by your own service (non-federated). When supporting multiple identity providers, System WebView should be used (see below).
ASWebAuthenticationSession is the System WebView (SWV) on macOS for authentication flows. The user’s default web browser will be invoked, allowing any supported Web Platform features, including WebAuthn, for the ASWebAuthenticationSession instance.
Sites loaded in ASWebAuthenticationSession are isolated from the calling app and run in the context of the top level site, just like in a full browser instance. This means that sign in flows on third party domains, such as a federated identity provider, can use passkeys for signing in.
On macOS, the user must set up a local system password. Enabling iCloud Keychain and setting up Touch ID are optional.
userVerification='required' is:userVerification='preferred' is:false.true.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() always returns true.userVerification='required' asks the user to enter the local system password on both passkey creation and authentication. Since they fail locally if Touch ID setup fails, the server can always expect the UV flag to be true.userVerification='preferred' skips user verification both on passkey creation and authentication. The UV flag is always false.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() always returns true.userVerification='required':true, otherwise it fails locally.userVerification='preferred':false.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() always returns true.userVerification='required' asks for the system password on both passkey creation and passkey authentication. Since they fail locally if user verification fails, the server can always expect the UV flag to be true.userVerification='preferred' skips user verification and returns the UV flag as false for both passkey creation and passkey authentication.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() always returns true.