macOS

Local Authenticator

(create and use passkeys from the local device)

Supported
External Authenticator

(create and use passkeys from another device)

Supported

Overview

The platform authenticator in macOS Ventura (13) has the following capabilities:

  • creating and using passkeys that are backed up to iCloud Keychain
  • creating and using passkeys on/from another device, such as:
    • an iPhone or iPad signed in to a different iCloud account
    • an Android device
    • a FIDO2 security key1

1 On macOS, user verification methods (device PIN, biometric, etc) must already be configured on the security key prior to credential creation

Platform Notes

Legacy Credentials

WebAuthn credentials created using the platform authenticator in macOS Monterey (12) and earlier will not be converted to passkeys but will remain available for the lifetime of the device.

To replace a legacy platform credential with a passkey, start a credential registration ceremony and pass the same user handle (user.id) in the request. macOS will overwrite the legacy credential with a new passkey that will be backed up to iCloud Keychain.

Browser Behavior

Safari: credentials created in Safari are passkeys, are backed up to iCloud Keychain, and are available in other apps and services.

Chrome: credentials created by Chrome are currently single-device passkeys, are not backed up to iCloud Keychain, and are not available outside of Chrome.

Edge: credentials created by Edge are currently single-device passkeys, are not backed up to iCloud Keychain, and are not available outside of Edge.

Firefox: passkeys are not currently supported in Firefox on macOS. Single-device passkeys on a FIDO2 security key are supported. User verification is not supported, though, which makes it impossible to implement WebAuthn-based passwordless authentication at this time.

Resources