Local Authenticator

(create and use passkeys from the local device)

External Authenticator

(create and use passkeys from another device)



The platform authenticator in macOS Ventura (13) has the following capabilities:

  • creating and using passkeys that are backed up to iCloud Keychain
  • creating and using passkeys on/from another device, such as:

1 On macOS, user verification methods (device PIN, biometric, etc) must already be configured on the security key prior to credential creation

Platform Notes

Cross-Device Authentication

macOS does not currently support persistent linking of external authenticators for Cross-Device Authentication at the operating system level.

Persistent linking is available between Android devices (authenticator) and Chrome and Edge (clients) on macOS.

When an authenticator is not persistently linked, a QR code must be scanned on every use.

Legacy Credentials

WebAuthn credentials created using the platform authenticator in macOS Monterey (12) and earlier will not be converted to passkeys but will remain available for the lifetime of the device.

To replace a legacy platform credential with a passkey, start a credential registration ceremony and pass the same user handle ( in the request. macOS will overwrite the legacy credential with a new passkey that will be backed up to iCloud Keychain.

Browser Behavior

Edge: credentials created by Edge are currently device-bound passkeys, are not backed up to iCloud Keychain, and are not available outside of Edge.

Firefox: passkeys are not currently supported in Firefox on macOS. Device-bound passkeys on a FIDO2 security key are supported.


Last Updated: Oct 23, 2023