9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
For years, bullish supporters have heralded passkeys as the future of sign-on, while traditional passwords are seen as the way of the past. It’s praised as a frictionless, far more secure alternative. But this week, I used normal passwords to authenticate more times than I can count.
Don’t get me wrong, the adoption of passkeys has been impressive. More on that soon. However, I can’t help but reflect on the current state of sign-on and how lesser is still largely dominant in the wake of far better technology.
A passkey is really two cryptographic keys. A private one that never leaves your device, and a public one that sits on the site you’re logging into. When you sign in, your device proves it holds the private key without ever sending anything a man-in-the-middle (cybercriminal) could grab, which is why passkeys can’t be phished the way a typed password can.
The best way I can explain it: passwords are something you know; passkeys are something you have (on a device) or something you are (biometric ID).
On your Apple devices, Face ID or Touch ID does the verifying and your private key sits in the Secure Enclave. If you used multiple devices, iCloud Keychain will securely sync the private keys across iPhone, iPad, and Mac, within their respective Secure Enclave-protected boundaries.
More than 15 billion accounts can now sign in with a passkey, , and its own passkeys have authenticated users over a billion times across more than 400 million accounts. At WWDC 2025, Apple rolled out a new account creation tool that lets apps sign you up with a passkey from the start, so no password is ever required. Microsoft went a step further and made new accounts passwordless by default.
However, there is still significant resistance among companies to adopting passkeys. A new website was even spun up recently that shames popular websites that still don’t offer passkeys to users. Some names on the list are shocking: Instagram, Spotify, Netflix.
The resistance to adoption comes down largely to recovery.
FIDO2, the standard passkey protocol, has no built-in recovery flow. If you were to lose every device that holds your passkeys, your fallback is, well, an email reset link. The exact weak-point passkeys were meant to be rendered obsolete. That’s why SaaS companies and other websites keep the old password field on the login screen as a backup.
... continue reading