Back to Blog
apple mdm security||9 min read

Passkeys for Business: Ditching Passwords on Mac, iPhone, and iPad

Passkeys are replacing passwords across the Apple ecosystem. Here's what UK businesses need to know about deploying them on Mac, iPhone, and iPad in 2026.

D

Dustin Rhodes

Stabilise

Passkeys logo: a person silhouette holding a key, set on a black background

Passwords are still the way most breaches happen. The 2025 Verizon Data Breach Investigations Report looked at 22,052 incidents and found that 88% of breaches involved stolen credentials. Phishing, reuse, weak ones, leaked ones, it's the same story every year.

Passkeys fix this. Not partially, not with caveats. They cannot be phished, cannot be reused across sites, and there's nothing to type into a fake login page. When Google rolled them out internally for staff, successful phishing attacks against employee accounts dropped to zero.

If you run an Apple-first business, you're in a good spot. Apple has built passkeys into iCloud Keychain across Mac, iPhone, iPad, and Vision Pro. The hardware (Touch ID, Face ID, secure enclave) is already there. The pieces line up better here than on most platforms.

Here's what passkeys are, how they work on Apple devices, and how to roll them out for your team.

What a Passkey Actually Is

A passkey is two halves of a cryptographic key. The public half goes to the website. The private half stays on your device, locked behind your biometrics. When you sign in, the website sends a challenge, your device signs it with the private key, and you're in. No shared secret. Nothing to phish. Nothing to leak in a database.

That's the whole trick. Behind it is the FIDO2/WebAuthn standard, which is what Apple, Google, Microsoft, and the FIDO Alliance have all agreed on.

For your team, it looks like this: they go to a website, the website asks them to sign in, their Mac or iPhone prompts for Touch ID or Face ID, and they're logged in. Faster than typing a password. Faster than copying one from a password manager. The FIDO Alliance's 2025 Passkey Index measured average sign-in time at 13.6 seconds with passkeys, compared to 27.5 seconds with passwords.

How Passkeys Work on Apple Devices

When someone creates a passkey on a Mac, iPhone, or iPad signed into iCloud, the passkey gets saved into iCloud Keychain. From there it syncs to every Apple device on the same Apple Account, end-to-end encrypted.

So one of your designers can create a passkey for Figma on their iMac, walk to a meeting, and sign in on their iPad with Face ID. Nothing was typed. Nothing was sent over the wire. The passkey was already there.

A few things to know:

  • Touch ID, Face ID, or device passcode authorises every use of the passkey. No biometric, no sign-in.
  • The private key never leaves the secure enclave in usable form. Apple cannot read it. Neither can you.
  • Passkeys can be shared with people you trust through Apple's Shared Groups, which is useful for shared accounts that don't support proper team management.
  • iOS 26 and macOS Tahoe 26 added credential portability, so passkeys can move between password managers (Apple Passwords, 1Password, Bitwarden) without re-enrolling on each site. This used the FIDO Alliance's standardised schema, finally fixing the lock-in problem.

If your business uses Managed Apple Accounts through Apple Business Manager, passkeys created in that environment go into the Managed Apple Account's iCloud Keychain. Admins control whether those passkeys can sync to personal devices or stay locked to managed hardware.

Why This Matters for Your Business

Three reasons, in order of how much your finance team will care:

1. Breaches stop happening from credential theft

The 2025 DBIR found credential stuffing made up 44% of authentication traffic on peak attack days. That's automated attacks trying leaked passwords against every login form on the internet. If your team uses passkeys, those attacks fail. There's no password to stuff.

2. Helpdesk costs drop

Password resets are one of the top tickets for any IT team. The HID/FIDO Alliance 2025 State of Authentication survey reported that organisations deploying passkeys saw password reset tickets fall by 60 to 80 percent. If you outsource IT to a provider like us, that's billable work that goes away. If you have an internal IT person, that's hours back in their week.

3. Compliance gets easier

This one matters for regulated industries:

  • NIST SP 800-63-4, finalised in July 2025, classifies synced passkeys as Authenticator Assurance Level 2 (AAL2) compliant.
  • PCI DSS 4.0, with enforcement deadlines through 2026, requires phishing-resistant MFA for anyone touching cardholder data. FIDO2 passkeys are explicitly cited as a qualifying mechanism.
  • Cyber Essentials Plus auditors increasingly accept passkeys as a stronger control than password + SMS. Our Cyber Essentials Plus clients have started rolling them out specifically to make next year's audit easier.

The HID/FIDO data shows 87% of enterprises are now actively deploying or piloting passkeys, up from 53% just two years ago. This isn't experimental any more.

Where Passkeys Work Today

Before you roll them out, check the services your business runs on. Coverage in 2026 is good but not universal.

Strong support:

  • Microsoft 365 / Entra ID: passkey profiles went generally available in March 2026. Admins can set different policies for admin and standard users.
  • Google Workspace: full support, users can skip passwords entirely.
  • Apple ID / Managed Apple Accounts: native, end-to-end.
  • Amazon, eBay, PayPal, Best Buy: major retail platforms, fine for company purchasing accounts.
  • GitHub, GitLab: useful for any team with developers.
  • 1Password, Bitwarden, Dashlane: store passkeys and act as a passkey provider.

Sign-in via SSO instead:

  • Slack: no native passkey support, sign in via Google or Microsoft and let the IdP handle the passkey.
  • Most SaaS tools: push them through SSO and you get passkey support for free.

Still passwords for now:

  • A long tail of older business tools, especially anything legacy or built before 2023. For these, keep using a proper password manager with strong unique passwords. Passkeys aren't all-or-nothing.

Deploying Passkeys Across Your Apple Fleet

Here's the order we use when rolling passkeys out for clients:

Step 1: Get your high-value accounts on passkeys first

Start with the accounts where a breach hurts the most. That usually means:

  • Your IdP (Microsoft Entra or Google Workspace)
  • Your MDM admin account (Jamf, Kandji, Intune)
  • Your finance and banking logins
  • Your domain registrar
  • 1Password or Bitwarden (the master account)

Do these for every admin first, before you touch the wider team. If you only convert ten accounts this year, these are the ten.

Step 2: Set up Managed Apple Accounts properly

If you're not already using Apple Business Manager with Managed Apple Accounts, set that up before rolling passkeys out at scale. It gives you:

  • A federated sign-in flow tied to your IdP
  • Control over which devices can sync passkeys
  • The ability to revoke access when someone leaves
  • Audit trails for compliance

We cover the broader setup in our piece on zero-touch device deployment, and Apple Business Manager is the foundation for both.

Step 3: Use declarative device management for high-assurance scenarios

For admin accounts or anything touching regulated data, plain synced passkeys may not be enough. Apple supports an enterprise passkey attestation configuration through declarative device management. The device generates a passkey and attests, using a provisioned identity certificate, that the passkey was created on a managed device.

This means a phisher who somehow tricks an admin into creating a passkey on a personal device won't be able to sign in. The relying party can verify, cryptographically, that the passkey came from your organisation's managed hardware.

If you don't have an MDM that supports declarative device management, this is one of the strongest reasons to upgrade.

Step 4: Train the team, but keep it short

Most people don't need a session. They need a one-page email that says: "From Monday, Microsoft 365 will ask you to set up a passkey. Tap yes, use Face ID, you're done."

The interactions are intuitive. Where you do need to spend time is on the edge cases:

  • What happens when someone gets a new iPhone (passkeys sync via iCloud Keychain, nothing to do)
  • What happens when someone leaves the company (revoke passkeys via Entra/Google admin, just like any other credential)
  • What happens if someone loses all their devices at once (account recovery flow, which is why your IdP setup matters)

Step 5: Keep your password manager

Passkeys don't replace 1Password or Bitwarden. They sit alongside. You'll still have passwords for the long tail of tools that haven't caught up. You'll still have secure notes, software licences, recovery codes. The password manager is also a backup passkey provider if you don't want everything tied to iCloud Keychain.

We wrote about how Apple Passwords compares to 1Password for businesses and the answer hasn't changed: for individual users, Apple Passwords is fine. For businesses, you want a proper team password manager. Passkeys make this more true, not less, because the password manager is now your shared passkey vault for the things iCloud Keychain can't cover.

What We're Recommending Right Now

If you run an Apple-first business in the UK and you haven't started on passkeys, here's the short version:

  1. Turn on passkeys for your admin accounts this week.
  2. Get Managed Apple Accounts set up if you haven't.
  3. Push passkeys for Microsoft 365 or Google Workspace to your team within the next quarter.
  4. Move higher-risk roles (finance, exec, IT admin) onto attested passkeys via your MDM.
  5. Keep your password manager. Passkeys don't replace it.

Passwords are not going to vanish overnight. But the shift is happening fast, and the businesses that move now will save themselves the helpdesk overhead, the breach risk, and the compliance scramble that everyone else will hit in 12 to 18 months.

If you'd like help with any of this, we've rolled out passkeys across Mac, iPhone, and iPad fleets for clients in finance, film, and creative agencies. Get in touch and we'll work out the right path for your team.

Sources

Related services

Enterprise Security

More from apple mdm security

Traditional VPNs vs Tailscale and Twingate: Which Remote Access Model Fits Your Business?
Apple Mdm Security|2 March 2026|10 min

Traditional VPNs vs Tailscale and Twingate: Which Remote Access Model Fits Your Business?

Traditional VPNs vs zero-trust tools like Tailscale and Twingate. We compare setup, security, ease of use, and MDM deployment for UK businesses.

Read article
Fortinet Firewalls Are Getting Hacked Even After Patching CVE-2025-59718 – What UK Businesses Need To Do Now
Apple Mdm Security|23 January 2026|15 min

Fortinet Firewalls Are Getting Hacked Even After Patching CVE-2025-59718 – What UK Businesses Need To Do Now

Fortinet admins report compromises on patched FortiGate devices. CVE-2025-59718 bypass actively exploited. What UK businesses must do now to secure network infrastructure

Read article
How to Accelerate CVE Remediation with MDM
Apple Mdm Security|28 December 2025|15 min

How to Accelerate CVE Remediation with MDM

Apple patched two WebKit zero-days exploited in targeted attacks. Here's how MDM accelerates remediation for company devices, what BYOD self-enrolment offers, and individual se

Read article