Security Bite: Passkeys were supposed to have killed the password by now…

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
For years, bullish supporters herald passkeys the future of sign-on and traditional passwords as the way of the past. It’s praised as a frictionless, far more secure alternative. But this week, I used normal passwords to authenticate more times than I can count.
Don’t get me wrong, the adoption of passkeys has been impressive. More on that soon. However, I can’t help but reflect on the current state of sign-on and how lesser is still largely dominant in the wake of far better technology.
A passkey is really two cryptographic keys. A private one that never leaves your device, and a public one that sits on the site you’re logging into. When you sign in, your device proves it holds the private key without ever sending anything a man-in-the-middle (cybercriminal) could grab, which is why passkeys can’t be phished the way a typed password can.
The best way I can explain it: passwords are something you know, passkeys are something you have (device) or something you are (biometric ID).
On your Apple devices, Face ID or Touch ID does the verifying and yout private key sits in the Secure Enclave. If you used multiple devices, iCloud Keychain will securing sync the private keys across iPhone, iPad, and Mac, in their respective Secure Enclave hardware protected boundaries.
More than 15 billion accounts can now sign in with a passkey, according to the FIDO Alliance, and Google says its own passkeys have authenticated users over a billion times across more than 400 million accounts. At WWDC 2025, Apple rolled out a new account creation tool that lets apps sign you up with a passkey from the start, so no password ever. Microsoft went a step further and made new accounts passwordless by default.
However, there is still much resistence from companies adopting passkeys. A new website was even spun up recently that shames popular websites that still don’t offer passkeys to users. Some names on the list are shocking: Instagram, Spotify, Netflix.
The resistance in adoption comes down largely to recovery.
FIDO2, the standard passkeys run on, has no built-in recovery flow. If you were to lose every device that holds your passkeys, you’re fall back is, well, an email reset link. The exact weak point passkeys were meant to render obsolete. That’s why SaaS companies and other websites keep the old password field on the login screen as a backup.
Portability is another problem, but it’s getting address fast.
Since passkeys live in iCloud Keychain, Google Password Manager, different browsers, etc, those vaults don’t communiate and thus can’t hand credentials to each other. But that’s slowly changing. Apple added cross-platform passkey import and export with iOS 26. The annoucement was a notable change in tone given how tightly integrated Apple’s Keychain ecosystem was.
Until the Credential Exchange Protocol behind it works cleanly across every platform, switching ecosystems can turn passwordless into lock-in.

TL;DR
The cryptography itself is sound and extrodinarly more phishing-resistant. It’s not a technical end all. The problem with passkeys is more operational. Recovery needs to be reliable, portability has to be seamless, and websites have to actually remove the password field before the password era ends for good.
Apple’s ahead of most, with the smoothest ecosystem experience (no surprise there) and shipped export support before Google. But until above gaps close, I don’t think those sign-in boxes are going anywhere anything soon.
Passkeys will be the future of authentication…eventually.
Security Bite is 9to5Mac’s weekly deep dive into the world of Apple security. Each week, Arin Waichulis unpacks new threats, privacy concerns, vulnerabilities, and more, shaping an ecosystem of over 2 billion devices.
Follow Arin: Twitter/X, LinkedIn, Threads
FTC: We use income earning auto affiliate links. More.


