9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.


For years, bullish supporters have heralded passkeys as the future of sign-on, while traditional passwords are seen as the way of the past. It’s praised as a frictionless, far more secure alternative. But this week, I used normal passwords to authenticate more times than I can count.

Don’t get me wrong, the adoption of passkeys has been impressive. More on that soon. However, I can’t help but reflect on the current state of sign-on and how lesser is still largely dominant in the wake of far better technology.

A passkey is really two cryptographic keys. A private one that never leaves your device, and a public one that sits on the site you’re logging into. When you sign in, your device proves it holds the private key without ever sending anything a man-in-the-middle (cybercriminal) could grab, which is why passkeys can’t be phished the way a typed password can.

The best way I can explain it: passwords are something you know; passkeys are something you have (on a device) or something you are (biometric ID).

On your Apple devices, Face ID or Touch ID does the verifying and your private key sits in the Secure Enclave. If you used multiple devices, iCloud Keychain will securely sync the private keys across iPhone, iPad, and Mac, within their respective Secure Enclave-protected boundaries.

More than 15 billion accounts can now sign in with a passkey, according to the FIDO Alliance, and Google says its own passkeys have authenticated users over a billion times across more than 400 million accounts. At WWDC 2025, Apple rolled out a new account creation tool that lets apps sign you up with a passkey from the start, so no password is ever required. Microsoft went a step further and made new accounts passwordless by default.

However, there is still significant resistance among companies to adopting passkeys. A new website was even spun up recently that shames popular websites that still don’t offer passkeys to users. Some names on the list are shocking: Instagram, Spotify, Netflix.

The resistance to adoption comes down largely to recovery.

FIDO2, the standard passkey protocol, has no built-in recovery flow. If you were to lose every device that holds your passkeys, your fallback is, well, an email reset link. The exact weak-point passkeys were meant to be rendered obsolete. That’s why SaaS companies and other websites keep the old password field on the login screen as a backup.

Portability is another problem, but it’s getting addressed fast.

Since passkeys live in iCloud Keychain, Google Password Manager, different browsers, etc, those vaults don’t communicate and thus can’t hand credentials to each other. But that’s slowly changing. Apple added cross-platform passkey import and export with iOS 26. The announcement was a notable change in tone, given how tightly integrated Apple’s Keychain ecosystem was.

Until the Credential Exchange Protocol behind it works cleanly across every platform, switching ecosystems can turn passwordless into lock-in.

Native support for passkey import and export on iPhone

TL;DR

The cryptography itself is sound and extraordinarily more phishing-resistant. It’s not a technical end-all. The problem with passkeys is more operational. Recovery needs to be reliable, portability has to be seamless, and websites have to actually remove the password field before the password era ends for good.

Apple’s ahead of most, with the smoothest ecosystem experience (no surprise there) and shipped export support before Google. But until the above gaps close, I don’t think those sign-in boxes are going anywhere anytime soon.

Passkeys will be the future of authentication…eventually.


Security Bite is 9to5Mac’s weekly deep dive into the world of Apple security. Each week, Arin Waichulis unpacks new threats, privacy concerns, vulnerabilities, and more, shaping an ecosystem of over 2 billion devices.

Follow Arin: Twitter/X, LinkedIn, Threads

FTC: We use income earning auto affiliate links. More.